Manual zone file modification breaks IXFR
For the IETF 101 Hackathon, I set up a Knot DNS master and slave. I checked out the branch 2.6, and tried to do a simple IXFR. The master zone has dnssec-signing enabled. I change the zonefile (update MX records) do a zone-reload and see an IXFR.
$ ./src/knotc -c mixfr-server/master1.conf zone-reload mixfr.nlOnly the IXFR only includes the SOA records and the RRSIG records, not the MX records. See attached pcap. ixfr-bad.pcapngmaster1.logslave1.logmaster1.confslave1.confmixfr.nl.zone
Activity
Steps to reproduce:
- start master with attached config
- let master sign the zone
- stop master
- edit zone file and change priority of an MX record
- start master
- ask for IXFR using latest serial before the change
This is reproducible using plain dig, so it is seems to be unrelated to slave.
It works when we change records on-line using
knotc.
@pspacek unfortunately so far I was not able to reproduce this bug. What happens on my machine:
- I start knot with the attached zonefile with SOA 2018010113, signing is succesful and the new SOA is 2018010114.
- I stop knot and manually change an MX record and change SOA to 2018010115.
- I start knot again, it gives the following expected log:
2018-03-18T12:12:39 warning: [mixfr.nl.] journal, discontinuity in changes history (2018010114 -> 2018010115), dropping older changesets- I query using dig for ixfr with SOA 2018010114. The server then falls back to AXFR on this query, which is the expected behaviour.
Any idea what am I doing differently than you in your reproduction steps?
@mkarpilovskij What is different at least is you stop knot and start it after the change. In Petr's seetup, knot keeps running.
@pspacek I think so. I hesitated to ask you that :-)
@matje also with
zonefile-load: difference?Ok, we will verify that anyway. Btw, this option is disabled intentionally by default, as in other cases (e.g. big zone files) zone difference computation could be undesirable. I think that also Bind requires ixfr-from-differences setting.
Edited by Daniel Salzmanadded discussion knot labels
-
I have verified Knot's behaviour with the supplied configuration in several scenarios, including with/without DNSSEC, setting zonefile-load and updating/not updating the serial manually. The only case where the described problem appears is when the zonefile is edited manually but the serial is not increased manually, which is to be expected. Since there does not seem to be any problem otherwise, I am closing this issue.
@matje if
zonefile-load: differenceis not set, the server doesn't know whether the zone file was changed, so you cannot log an error! There is no universal setting. It's a general problem with manual zone file modification, as the server doesn't have full control over it. We will add a note to the documentation that the user should consider settingzonefile-load: differenceifdnssec-signingis enabled. Also we cannot set this combination automatically, since zone file usage can be disabled at all.Ok, what about configuration check which would disallow
dnssec-sinign: onwithzonefile-load: whole? @lpeltan
@dsalzman : brilliant idea.
mentioned in commit 4fbcaf75
