MAAS

DNS/Bind issue, DNS stops working every day

Bug #1889042 reported by Ole Kleinschmidt on 2020-07-27

This bug report is a duplicate of: Bug #1888536: named.conf.options.inside.maas reverts to default. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Triaged	High	Unassigned

Bug Description

Dear,

every morning, I have to manually restart maas to fix DNS resolving. Our companies DNS server is unable to resolve domains managed by maas.

In /var/snap/maas/common/log/named.log I got tons of lines like:

27-Jul-2020 06:35:10.546 client @0x7fcdb000f360 10.XX.XXX.100#47169 (foobar.maas.domain.tld): query (cache) 'foobar.maas.domain.tld/A/IN' denied

10.XX.XXX.100 is our companies dns server which forwards a couple of domains to maas, foobar.maas.domain.tld a DNS record managed by maas, forwarded from companies DNS server. Also if I manually try to query the maas DNS with "host foobar.maas.domain.tld <IP OF MAAS>" I got refused.

After I restart maas with "snap restart maas" everything works again until the next morning.

Running Ubuntu 20.04, Maas 2.8 from snap.

Cheers,
Ole

Revision history for this message

Björn Tillenius (bjornt) wrote on 2020-07-27:

Hi Ole, thanks for your bug report!

Could you please attach /var/snap/maas/current/bind/named.conf.options.inside.maas as it is when it's working, and when it's not working? As well as /var/snap/maas/current/bind/named.conf.maas.

Changed in maas:
importance:	Undecided → High
status:	New → Incomplete

Revision history for this message

Björn Tillenius (bjornt) wrote on 2020-07-27:

Also, have you turned off dnssec validation? In that case, that could be the culprit, since I found this issue:

https://gitlab.isc.org/isc-projects/bind9/-/issues/784

Reading that report, restarting MAAS twice in a row might work around the issue.

Revision history for this message

Ole Kleinschmidt (oklhost) wrote on 2020-07-27:

Hi Bjoern,

sure, here we go with the working ones - sorry for the X's:

/var/snap/maas/current/bind/named.conf.options.inside.maas:

forwarders {
10.XX.XXX.100;
10.XX.XXX.200;
};

dnssec-validation no;

allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };

/var/snap/maas/current/bind/named.conf.maas:

include "/var/snap/maas/7808/bind/named.conf.rndc.maas";

# Zone declarations.
zone "mgmt.XX.XX.io" {
    type master;
    file "/var/snap/maas/7808/bind/zone.mgmt.XX.XX.io";
};
zone "XX2.mgmt.XX.XX.io" {
    type master;
    file "/var/snap/maas/7808/bind/zone.XX2.mgmt.XX.XX.io";
};
zone "maas-internal" {
    type master;
    file "/var/snap/maas/7808/bind/zone.maas-internal";
};
zone "1.XX.10.in-addr.arpa" {
    type master;
    file "/var/snap/maas/7808/bind/zone.1.XX.10.in-addr.arpa";
};
zone "X.4X.10.in-addr.arpa" {
    type master;
    file "/var/snap/maas/7808/bind/zone.X.4X.10.in-addr.arpa";
};
zone "X.4X.10.in-addr.arpa" {
    type master;
    file "/var/snap/maas/7808/bind/zone.X.4X.10.in-addr.arpa";
};
zone "X.4X.10.in-addr.arpa" {
    type master;
    file "/var/snap/maas/7808/bind/zone.X.4X.10.in-addr.arpa";
};

# Access control for recursive queries. See named.conf.options.inside.maas
# for the directives used on this ACL.
acl "trusted" {
    10.4X.X.0/24;
    10.XX.1.0/24;
    10.4X.X.0/24;
    10.4X.X.0/24;
    10.X.X.X/X;
    localnets;
    localhost;
};

Revision history for this message

Ole Kleinschmidt (oklhost) wrote on 2020-07-27:

Hi again,

yes, dnssec validation is turned off. So a simple cronjob might be a workaround for now, I thought about it, but it did not feel right?! ;)

Revision history for this message

Ole Kleinschmidt (oklhost) wrote on 2020-08-03:

Hello,

now DNS stopped working again. As you can see below, all my config seems gone. After I did snap restart maas the configs went back to the status from my previously post.

/var/snap/maas/current/bind/named.conf.options.inside.maas:

dnssec-validation auto;

allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };

/var/snap/maas/current/bind/named.conf.maas:

include "/var/snap/maas/7808/bind/named.conf.rndc.maas";

# Zone declarations.

# Access control for recursive queries. See named.conf.options.inside.maas
# for the directives used on this ACL.
acl "trusted" {
localnets;
localhost;
};

Revision history for this message

Björn Tillenius (bjornt) wrote on 2020-08-03:

Thanks for the info. So it looks like it's indeed related to dnssec-validation. We can't do much about the upstream issue at the moment, but we'll fix it so that MAAS handles bind crashing a bit better.

I'm marking this bug as a duplicate of bug 1888536, since that's the same issue.

Changed in maas:
status:	Incomplete → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1888536 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-gitlab.isc.org-isc-projects-bind9-- #784
[closed] Edit

Bug watches keep track of this bug in other bug trackers.