Bind Error Explanation – What Does This Bind Error Mean on Linux?

binddnsseclinux

Background

I'm trying to setup a recursive DNSSec Server, with the dnssec-lookaside option. Following this guide.

Error Message

root@dnssec:/home/jose# systemctl status bind9
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Sun 2020-01-19 18:54:09 UTC; 1s ago
     Docs: man:named(8)
  Process: 1617 ExecStart=/usr/sbin/named -f $OPTIONS (code=killed, signal=ABRT)
 Main PID: 1617 (code=killed, signal=ABRT)

ene 19 18:54:09 dnssec named[1617]: #2 0x7f3fa9fd125e in ??
ene 19 18:54:09 dnssec named[1617]: #3 0x561ca9e89856 in ??
ene 19 18:54:09 dnssec named[1617]: #4 0x561ca9ecbc00 in ??
ene 19 18:54:09 dnssec named[1617]: #5 0x561ca9ecd343 in ??
ene 19 18:54:09 dnssec named[1617]: #6 0x7f3fa9b6fd99 in ??
ene 19 18:54:09 dnssec named[1617]: #7 0x7f3fa90e86db in ??
ene 19 18:54:09 dnssec named[1617]: #8 0x7f3fa881c88f in ??
ene 19 18:54:09 dnssec named[1617]: exiting (due to assertion failure)
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Main process exited, code=killed, status=6/ABRT
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Failed with result 'signal'.

Bind configuration:

named.conf

root@dnssec:/home/jose# cat /etc/bind/named.conf

include "/etc/bind/named.conf.options";

include "/etc/bind/named.conf.options.dnssec";


zone "wetlands.cam"{
        type master;
        file "/etc/bind/db.wetlands.cam";
};

zone "30.20.10.in-addr.arpa"{
        type master;
        file "/etc/bind/db.30.20.10";
};

named.conf.options

root@dnssec:/home/jose# cat /etc/bind/named.conf.options
acl homeLab {
        10.20.30.0/24;
        localhost;
        localnets;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { homeLab; };

        forwarders {
                10.20.30.1;
                8.8.8.8;
                8.8.4.4;
        };


        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside "." trust-anchor auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };

        dnssec-lookaside auto;

};

named.conf.options also includes logging like explained in this post, but no logging file contains information about the error so I omitted it for readability.

named.conf.dnssec

root@dnssec:/home/jose# cat /etc/bind/named.conf.options.dnssec
trusted-keys{
"." 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";

"cat." 257 3 10
"AwEAAYA2JNjCp4vwA2YjEASi2AyxNSCB8RwAJveS44fCrcOsy3ejVzH4 s1bVKolZdObVAcZcjFd1uusnIZ6SRVpRxs2G9nflbYgCZ1oihfwPuuVE HExUDzu8nFEkivKTL4RBOT6EYNYgbVwG7JVRaCKU8/g1YR+by1cfTAl6 0SgdyMGapN3JlBcYBq9P3bMX0beYWdxTa+NSasAauLemmp84RJwBWtX3 YhAyF3LrCapSfLVkgakNb+kuUbQngnX1ABdioYD5BvFO3TjslwuFy+FU GH8HGaI2F4kwXfpIukUfjhGTnXihG1n1cI3Noy0wOL/twxy9SB66GbxT rNOnoXftnzk=";

"org." 257 3 7
"AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5 T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=";

"dlv.isc.org." 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";

};

journalctl output

ene 19 18:54:09 dnssec systemd[1]: Started BIND Domain Name Server.
ene 19 18:54:09 dnssec named[1617]: starting BIND 9.11.3-1ubuntu1.11-Ubuntu (Extended Support Version) <id:a375815>
ene 19 18:54:09 dnssec named[1617]: running on Linux x86_64 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019
ene 19 18:54:09 dnssec named[1617]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexec
ene 19 18:54:09 dnssec named[1617]: running as: named -f -u bind
ene 19 18:54:09 dnssec named[1617]: ----------------------------------------------------
ene 19 18:54:09 dnssec named[1617]: BIND 9 is maintained by Internet Systems Consortium,
ene 19 18:54:09 dnssec named[1617]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
ene 19 18:54:09 dnssec named[1617]: corporation.  Support and training for BIND 9 are
ene 19 18:54:09 dnssec named[1617]: available at https://www.isc.org/support
ene 19 18:54:09 dnssec named[1617]: ----------------------------------------------------
ene 19 18:54:09 dnssec named[1617]: adjusted limit on open files from 4096 to 1048576
ene 19 18:54:09 dnssec named[1617]: found 1 CPU, using 1 worker thread
ene 19 18:54:09 dnssec named[1617]: using 1 UDP listener per interface
ene 19 18:54:09 dnssec named[1617]: using up to 4096 sockets
ene 19 18:54:09 dnssec named[1617]: loading configuration from '/etc/bind/named.conf'
ene 19 18:54:09 dnssec named[1617]: /etc/bind/named.conf.options:27: dnssec-lookaside 'auto' is no longer supported
ene 19 18:54:09 dnssec named[1617]: /etc/bind/named.conf.options.dnssec:1: trusted-key for dlv.isc.org still present; dlv.isc.org has been shut down
ene 19 18:54:09 dnssec named[1617]: reading built-in trust anchors from file '/etc/bind/bind.keys'
ene 19 18:54:09 dnssec named[1617]: initializing GeoIP Country (IPv4) (type 1) DB
ene 19 18:54:09 dnssec named[1617]: GEO-106FREE 20180315 Build
ene 19 18:54:09 dnssec named[1617]: initializing GeoIP Country (IPv6) (type 12) DB
ene 19 18:54:09 dnssec named[1617]: GEO-106FREE 20180315 Build
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv4) (type 2) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv4) (type 6) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv6) (type 30) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv6) (type 31) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Region (type 3) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Region (type 7) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP ISP (type 4) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Org (type 5) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP AS (type 9) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Domain (type 11) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP NetSpeed (type 10) DB not available
ene 19 18:54:09 dnssec named[1617]: using default UDP/IPv4 port range: [32768, 60999]
ene 19 18:54:09 dnssec named[1617]: using default UDP/IPv6 port range: [32768, 60999]
ene 19 18:54:09 dnssec named[1617]: listening on IPv4 interface lo, 127.0.0.1#53
ene 19 18:54:09 dnssec named[1617]: listening on IPv4 interface enp0s3, 10.20.30.200#53
ene 19 18:54:09 dnssec named[1617]: listening on IPv4 interface enp0s8, 192.168.56.200#53
ene 19 18:54:09 dnssec named[1617]: generating session key for dynamic DNS
ene 19 18:54:09 dnssec named[1617]: sizing zone task pool based on 2 zones
ene 19 18:54:09 dnssec named[1617]: none:103: 'max-cache-size 90%' - setting to 886MB (out of 985MB)
ene 19 18:54:09 dnssec named[1617]: ../../../lib/isccfg/parser.c:1228: REQUIRE(obj != ((void *)0) && obj->type->rep == &cfg_rep_string) failed, back trace
ene 19 18:54:09 dnssec named[1617]: #0 0x561ca9ea1050 in ??
ene 19 18:54:09 dnssec named[1617]: #1 0x7f3fa9b477da in ??
ene 19 18:54:09 dnssec named[1617]: #2 0x7f3fa9fd125e in ??
ene 19 18:54:09 dnssec named[1617]: #3 0x561ca9e89856 in ??
ene 19 18:54:09 dnssec named[1617]: #4 0x561ca9ecbc00 in ??
ene 19 18:54:09 dnssec named[1617]: #5 0x561ca9ecd343 in ??
ene 19 18:54:09 dnssec named[1617]: #6 0x7f3fa9b6fd99 in ??
ene 19 18:54:09 dnssec named[1617]: #7 0x7f3fa90e86db in ??
ene 19 18:54:09 dnssec named[1617]: #8 0x7f3fa881c88f in ??
ene 19 18:54:09 dnssec named[1617]: exiting (due to assertion failure)
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Main process exited, code=killed, status=6/ABRT
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Failed with result 'signal'.

Best Answer

Your bind server failed badly when reading your configuration. Try named-checkconf -p to see if the syntax is correct.

The error you have/had was an assertion, which are used by programmers when they are sure something will never happen. So definitively you hit a bug in bind: the correct behaviour would be to detect the configuration error and print an appropriate error message.

If you can reproduce the bug, you should report it to the bind issue tracker.

Related Topic