RE: Upgrading from 9.14.12 to 9.16.4 - with existing DNSSEC zones

Path	csiph.com!weretis.net!feeder8.news.weretis.net!paganini.bofh.team!news.killfile.org!usenet.stanford.edu!not-for-mail
From	"Duncan" <duncan@isn-portal.de>
Newsgroups	comp.protocols.dns.bind
Subject	RE: Upgrading from 9.14.12 to 9.16.4 - with existing DNSSEC zones
Date	Thu, 3 Sep 2020 12:36:07 +0200
Organization	TE Corp.
Lines	203
Approved	bind-users@lists.isc.org
Message-ID	<mailman.871.1599129307.942.bind-users@lists.isc.org> (permalink)
References	<!&!AAAAAAAAAAAuAAAAAAAAAHJdIH4gV7hNloyozA7DYZQBAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAACkjitonLN9Q5Iy0M5h8E43AQAAAAA=@isn-portal.de> <6AB3E1D2-2192-4E34-A1E9-F9157EC222CF@isc.org> <!&!AAAAAAAAAAAuAAAAAAAAAHJdIH4gV7hNloyozA7DYZQBAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAAAI5nbq+LDVSYIufcfyUKD2AQAAAAA=@isn-portal.de>
Reply-To	<duncan@isn-portal.de>
NNTP-Posting-Host	lists.isc.org
Mime-Version	1.0
Content-Type	multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0063_01D681EE.CBD26090"
X-Trace	usenet.stanford.edu 1599129359 8911 149.20.1.60 (3 Sep 2020 10:35:59 GMT)
X-Complaints-To	action@cs.stanford.edu
To	<bind-users@lists.isc.org>
Return-Path	<duncan@isn-portal.de>
X-Original-To	bind-users@lists.isc.org
Delivered-To	bind-users@lists.isc.org
X-Virus-Scanned-fMail-Outgoing	A.N.J.A.-VirusScan at atlantia.fmail-server.com
In-Reply-To	<6AB3E1D2-2192-4E34-A1E9-F9157EC222CF@isc.org>
X-Mailer	Microsoft Outlook 16.0
Content-Language	de
Thread-Index	AQFalJNeTAQn0Qx0yDbktTFGNakoAAEYjKVBqkXKHkA=
X-Originating-IP-fMail-Outgoing	79.205.197.215
X-Envelope-From-fMail-Outgoing	<duncan@isn-portal.de>
X-OriginalArrivalTime-fMail-Outgoing	Thu, 3 Sep 2020 12:35:43 +0200
X-Message-ID-fMail-Outgoing	e0e48212ca46444e9dc115ef72f028a5
X-Spam-Status	No, score=-2.0 required=5.0 tests=GPG_SIGNED,KAM_SHORT, SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version	SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere	bind-users@lists.isc.org
X-Mailman-Version	2.1.29
Precedence	list
List-Id	BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe	<https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive	<https://lists.isc.org/pipermail/bind-users/>
List-Post	<mailto:bind-users@lists.isc.org>
List-Help	<mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe	<https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID	<!&!AAAAAAAAAAAuAAAAAAAAAHJdIH4gV7hNloyozA7DYZQBAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAAAI5nbq+LDVSYIufcfyUKD2AQAAAAA=@isn-portal.de>
X-Mailman-Original-References	<!&!AAAAAAAAAAAuAAAAAAAAAHJdIH4gV7hNloyozA7DYZQBAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAACkjitonLN9Q5Iy0M5h8E43AQAAAAA=@isn-portal.de> <6AB3E1D2-2192-4E34-A1E9-F9157EC222CF@isc.org>
Xref	csiph.com comp.protocols.dns.bind:16094

Show key headers only | View raw

[Multipart message — attachments visible in raw view] - view raw

I think, I 've found the problem...

Read in the documentation: "UDP network ports used for listening can no longer simultaneously be used for sending traffic."

I had listen-on, notify-source and transfer-source all set to the same IP and Port (53). Setting notify-source and transfer-source to different ports seems to solve my problems.

Under 9.14.12 there were no problems - that's the difference to 9.16.4, which caused my problems.


-----Original Message-----
From: Mark Andrews <marka@isc.org> 
Sent: Wednesday, September 2, 2020 12:38 AM
To: duncan@isn-portal.de
Cc: bind-users@lists.isc.org
Subject: Re: Upgrading from 9.14.12 to 9.16.4 - with existing DNSSEC zones

Do you go to your mechanic and not take the car when you have a problem you don’t understand with the car?

BIND 9.16.4 should be a drop in replacement for 9.14.12.  As you are seeing issues you will need to supply more details like the name of the zone so people can actually try and figure out what the issue is.

Mark 

> On 2 Sep 2020, at 01:06, Duncan <duncan@isn-portal.de> wrote:
> 
> I am using DNSSEC for more than 5 years now (never had a problem so far), but after upgrading to the latest bind-9.16.4 the verification fails using Verisign's DNSSEC Validator.
>  
> I reverted back to 9.14.12 and everything works as expected.
>  
> First I started upgrading my secondary DNS-Server (primary left untouched !!!) to 9.16.4 - restarted named and everything seems to be OK.
>  
> So I tested with Verisign's DNSSEC Validator https://dnssec-analyzer.verisignlabs.com/ before upgrading my primary DNS.
>  
> And Verisign reported an error -> All Queries to secondary.my-dnsserver-domain.com for my-domain.com/Atimed out or failed
>  
> Test Results: https://ibb.co/7QLVJsC
>  
> Any ideas? …or should I upgrade both servers before I do my first test (not only the secondary server)? As I said, I only updated my secondary server and left my primary server untouched!
>  
> Are there any related upgrade issues from from 9.14.12 to 9.16.4, which I should take care first (do I have to update something in my configs)? Is it possible to keep my already signed zones of my 9.14.12 installation? Or do I have to re-sign anything?
>  
>  
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

Back to comp.protocols.dns.bind | Previous | Next | Find similar

Thread

RE: Upgrading from 9.14.12 to 9.16.4 - with existing DNSSEC zones "Duncan" <duncan@isn-portal.de> - 2020-09-03 12:36 +0200

csiph-web