Knot doesn’t delete zonefile after de-catalog member zone
After de-catalog member zone there is a message „zone purged“ in logfile, but even if zonefile-sync is default or explicitly set to 0, zonefile is not deleted.
After readd member to catalog, the old zonefile is loaded with old serial. We've noticed it in Knot 3.1.8, but probbably older version are affected too.
Child items
0No child items are currently assigned. Use child items to break down this issue into smaller parts.
When this merge request is accepted, this issue will be closed automatically.
Activity
Hello @velechac, I'm unable to reproduce your problem, both in a master and in a slave. When a member zone is de-cataloged, it's zonefile is always removed. Can't you have a conflict with zonefile ownership or permissions?
Hi, all directories under
/var/lib/knot/are owned by userknot. All zone files are generated by Knot based on catalog membership.I hope we didn't miss any config option. We can reproduce this problem both on the master and on the slave. Our environment is
knot 3.1.8-cznic.1~focal knot-dnsutils 3.1.8-cznic.1~focal knot-module-geoip:amd64 3.1.8-cznic.1~focal libdnssec8:amd64 3.1.8-cznic.1~focal libknot12:amd64 3.1.8-cznic.1~focal libzscanner4:amd64 3.1.8-cznic.1~focal python3-libknot 3.1.8-cznic.1~focalConfig on master:
template: - id: catalog storage: /var/lib/knot/zones/catalog zonefile-load: difference - id: prod-public-signed master: prod-backend storage: /var/lib/knot/zones/prod-public zonefile-load: difference semantic-checks: True notify: ["public1", "public2", "public3"] module: mod-stats dnssec-signing: True dnssec-policy: akm serial-policy: unixtime [...] zone: - domain: prod-public.catalog template: catalog catalog-role: interpret catalog-template: ["prod-public-signed", "prod-public"] notify: ["public1", "public2", "public3"]Config on slave:
template: - id: catalog storage: /var/lib/knot/zones/catalog zonefile-load: difference master: ["hm1", "hm2", "hm3"] - id: prod-public master: ["hm1", "hm2", "hm3"] storage: /var/lib/knot/zones/prod-public zonefile-load: difference semantic-checks: True module: mod-stats [...] zone: - domain: prod-public.catalog template: catalog catalog-role: interpret catalog-template: prod-publicThere is a notice in log file
2022-06-24T11:43:17+0200 notice: [example.com.] zone purgedbut zone file still exists even if Knot is restarted.
-rw-rw---- 1 knot knot 2.7K Jun 23 14:30 /var/lib/knot/zones/prod-public/example.com.zone@velechac are you able to test the upcoming 3.2 version from this repository https://launchpad.net/~cz.nic-labs/+archive/ubuntu/knot-dns-master ? This version contains some logging improvements, so it should help with the problem debugging.
Unfortunately no progress with 3.2 on Focal. I have tried to install Knot 3.1.8 on Bullseye and there is the same problem.
We don't use apparmor.
During the test I purged manually all zone files and restarted Knot. Knot bootstrapped all of zones and after that I removed some of them from catalog.
OT: Please add directive
LogsDirectory=knotin your systemd service for Knot 3.2. Due toTemporaryFileSystem=/run:ro /var:rowe cannot use log file under/var/log/knot.error: failed to open log, file '/var/log/knot/knot.log' (not exists)Edited by velechac@velechac FYI we know what is wrong. The default zone template is used instead of the catalog-template. We have to find a reasonable fix.
mentioned in merge request !1469 (merged)
mentioned in commit 7464da55
mentioned in commit 57580f4a
closed via merge request !1469 (merged)
@velechac I have backported the fix to 3.1 (https://gitlab.nic.cz/knot/knot-dns/-/commits/3.1). Do you want a package for testing?
