Symptoms
-
bind
package was recently updated -
There are more than 100 configured PTR records:
CONFIG_TEXT: MariaDB [psa]> select count(*) from dns_recs where type like "%PTR%";
+----------+
| count(*) |
+----------+
| 304 |
+----------+ -
The DNS bind service fails with one of below error messages:
CONFIG_TEXT: dnsmng[21870]: Dns zone candidate file '/var/named/chroot/var/0.13.203.in-addr.arpa.next' is not valid (strictMode:1). Changes are reverted. Reason: dns_master_load: /var/named/chroot/var/0.13.203.in-addr.arpa.next:295:2.0.13.203.in-addr.arpa: too many records#012zone 0.13.203.in-addr.arpa/IN: loading from master file /var/named/chroot/var/0.13.203.in-addr.arpa.next failed: too many records#012zone 0.13.203.in-addr.arpa/IN: not loaded due to errors.
CONFIG_TEXT: named-checkconf[120268]: zone 0.13.203.in-addr.arpa/IN: loading from master file 0.13.203.in-addr.arpa failed: file not found
named-checkconf[120268]: zone 0.13.203.in-addr.arpa/IN: not loaded due to errors.
named-checkconf[120268]: _default/0.13.203.in-addr.arpa/IN: file not found
systemd[1]: named-chroot.service: Control process exited, code=exited status=1
systemd[1]: named-chroot.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). -
plesk repair dns
utility returns errors like:CONFIG_TEXT: System error 11: Resource temporarily unavailable
Error during example.com updateZone: dnsmng failed: dnsmng: Unable to update reverse lookup zone -
On AlmaLinux 9/Debian 12/Ubuntu 20, 22, 24
bind
service is running, but not all zones are loaded:CONFIG_TEXT: named[133040]: dns_master_load: 0.13.203.in-addr.arpa:131:2.0.13.203.in-addr.arpa: too many records
named[133040]: zone 0.13.203.in-addr.arpa/IN: loading from master file 0.13.203.in-addr.arpa failed: too many records
named[133040]: zone 0.13.203.in-addr.arpa/IN: not loaded due to errors.
Cause
The bind service has been updated recently and includes patch for CVE-2024-1737 limiting amount of reverse records that can be loaded to 100.
Resolution
Update Plesk Obsidian to the latest version.
In some cases, files of reverse DNS zones may be missing after updating, preventing bind
from start. Rebuild the zone files using the following command:
# plesk repair dns
Check for "DNS_RDATASET_MAX_RECORDS=10000" in /etc/sysconfig/named
:
# grep DNS_RDATASET_MAX_RECORDS /etc/sysconfig/named
For Debian 11 and CentOS 7, the fix is not yet implemented, and the workaround is to downgrade bind packages:
CentOS 7
-
Connect to the server via SSH.
-
Downgrade bind and its packages to the previous version:
# yum downgrade bind*
-
Exclude bind-related packages from update by editing file
/etc/yum.conf
, adding the following line:CONFIG_TEXT: exclude=bind*
-
Rebuild DNS configuration:
# plesk repair dns -y
Debian 11
-
Connect to the server via SSH.
-
Downgrade bind and its packages to the previous version:
# apt-get install bind9=1:9.16.48-1 bind9-dnsutils=1:9.16.48-1 bind9-host=1:9.16.48-1 bind9-libs=1:9.16.48-1 bind9-utils=1:9.16.48-1 dnsutils=1:9.16.48-1
-
Exclude bind-related packages from update:
# apt-mark hold bind9* dnsutils
-
Rebuild DNS configuration:
# plesk repair dns -y
Comments
2 comments
This appears to be an issue when using bind-9.11.36-16.el8_10.2 on AlmaLinux 8 as well. Downgrading to bind-9.11.36-14.el8_10.x86_64 solves it.
This post was very insightful. Great job! URL
Please sign in to leave a comment.