[RPZ] assertion failures

April Lorenzen data at serverauthority.net
Wed Jun 29 17:51:03 UTC 2011 

With some help I found the file named core dropped in the
/opt/bind9/var/run dir, gzipped it and sent the bug report to
bind9-bugs at isc.org.

On Wed, Jun 29, 2011 at 11:05 AM, April Lorenzen
<data at serverauthority.net> wrote:
> My RPZ test server works as expected for awhile and then bind stops
> with assertion failure in log. My guess is that others are not seeing
> this problem because most don't compile with the --enable-rpz-nsip and
> --enable-rpz-nsdname as I did, and they may not be using RPZ rules
> that exercise those features.
>
> Believing this is a bind issue, I went to ask about it or report it to
> the bind list and searched / read archives first. I will need a stack
> trace they say or the report won't be helpful. I searched for how to
> get a stack trace and find no info. I went to the #bind channel on
> freenode and asked but did not receive an answer.
>
> I think some of the early adopters of RPZ domain rules also had
> assertion failures and may be able to tell me the path to take to get
> the stack trace to send to the bind bugs address. The OS of this test
> server is Ubuntu natty. My *bsd oriented friends think it will be hard
> to get a stack trace on linux.
>
> At this point I am stuck unless I bother people I know in ISC. I would
> hope or assume there is some other more appropriate path to the right
> person to help me that I haven't discovered yet.
>
> I believe anyone could recreate the symptoms by compiling with the
> nsip and nsdname options and running a list of miscreant domains
> against a server with an RPZ list of malicious ns ips.
>
> Compiled with these options:
> ./configure --prefix=/opt/bind9 --with-openssl=yes
> --sysconfdir=/etc/bind --with-randomdev=/dev/urandom --enable-rpz-nsip
> --enable-rpz-nsdname
>
>
> Examples of how the failures happen:
>
> 29-Jun-2011 02:52:29.733 client MY.HOME.IP#64760: response policy NSIP
> rewrite 0DAY-EXCHANGE.COM via 0DAY-EXCHANGE.COM NS db_find() failed:
> failure
> 29-Jun-2011 02:52:32.380 client MY.HOME.IP#65516: response policy NSIP
> rewrite 0EC.RU via 0EC.RU NS db_find() failed: failure
> 29-Jun-2011 02:52:35.530 client MY.HOME.IP#63528: response policy NSIP
> rewrite 07TQQWEM.RU via 07TQQWEM.RU NS db_find() failed: timed out
> 29-Jun-2011 02:52:36.807 name.c:2112: REQUIRE(suffixlabels <
> name->labels) failed, back trace
> 29-Jun-2011 02:52:36.807 #0 0x412ff6 in assertion_failed()+0x46
> 29-Jun-2011 02:52:36.807 #1 0x56969a in isc_assertion_failed()+0xa
> 29-Jun-2011 02:52:36.807 #2 0x494119 in dns_name_split()+0x199
> 29-Jun-2011 02:52:36.807 #3 0x416c8a in rpz_rewrite_name()+0xea
> 29-Jun-2011 02:52:36.807 #4 0x41f0cb in query_find()+0x329b
> 29-Jun-2011 02:52:36.807 #5 0x42282f in query_resume()+0x21f
> 29-Jun-2011 02:52:36.807 #6 0x584cf5 in isc__taskmgr_dispatch()+0x175
> 29-Jun-2011 02:52:36.807 #7 0x58741f in evloop()+0x9f
> 29-Jun-2011 02:52:36.807 #8 0x587677 in isc__app_ctxrun()+0x87
> 29-Jun-2011 02:52:36.807 #9 0x414184 in main()+0xbf4
> 29-Jun-2011 02:52:36.807 #10 0x7f76e89d6eff in _fini()+0x7f76e84401a7
> 29-Jun-2011 02:52:36.807 #11 0x404f49 in _start()+0x29
> 29-Jun-2011 02:52:36.807 exiting (due to assertion failure)
>
>
> (I restarted bind and after properly handling some queries... )
>
> 29-Jun-2011 13:14:03.430 client MY.HOME.IP#60741: response policy NSIP
> rewrite 2FVWP6VLTT4VSJ3.INFO via 2FVWP6VLTT4VSJ3.INFO NS db_find()
> failed: timed out
> 29-Jun-2011 13:14:34.922 client MY.HOME.IP#60859: response policy NSIP
> rewrite 2GOPLAY.COM via 2GOPLAY.COM NS db_find() failed: timed out
> 29-Jun-2011 13:14:37.366 DNS format error from 74.54.83.109#53
> resolving ns2.supernetdeal.com.directideleteddomain.info/AAAA: invalid
> response
> 29-Jun-2011 13:14:37.369 DNS format error from 74.54.83.109#53
> resolving ns1.supernetdeal.com.directideleteddomain.info/AAAA: invalid
> response
> 29-Jun-2011 13:14:37.404 DNS format error from 74.54.82.109#53
> resolving ns2.supernetdeal.com.directideleteddomain.info/AAAA: invalid
> response
> 29-Jun-2011 13:14:37.405 DNS format error from 74.54.82.109#53
> resolving ns1.supernetdeal.com.directideleteddomain.info/AAAA: invalid
> response
> 29-Jun-2011 13:14:49.931 client MY.HOME.IP#54007: response policy NSIP
> rewrite 2H8FWYIVDSGRSDD.INFO via 2H8FWYIVDSGRSDD.INFO NS db_find()
> failed: timed out
> 29-Jun-2011 13:15:07.246 client MY.HOME.IP#52729: response policy NSIP
> rewrite 2HFNWZ9NKWF2DNJ.INFO via 2HFNWZ9NKWF2DNJ.INFO NS db_find()
> failed: timed out
> 29-Jun-2011 13:15:08.444 rdataset.c:245: REQUIRE(rdataset->methods !=
> ((void *)0)) failed, back trace
> 29-Jun-2011 13:15:08.444 #0 0x412ff6 in assertion_failed()+0x46
> 29-Jun-2011 13:15:08.444 #1 0x56969a in isc_assertion_failed()+0xa
> 29-Jun-2011 13:15:08.444 #2 0x4ee3a0 in dns_rdataset_next()+0x0
> 29-Jun-2011 13:15:08.444 #3 0x4ef26d in dns_rdataset_additionaldata()+0x6d
> 29-Jun-2011 13:15:08.444 #4 0x41619c in query_addrdataset()+0x8c
> 29-Jun-2011 13:15:08.444 #5 0x419d03 in query_addrrset()+0x143
> 29-Jun-2011 13:15:08.444 #6 0x41e1fe in query_find()+0x23ce
> 29-Jun-2011 13:15:08.444 #7 0x42282f in query_resume()+0x21f
> 29-Jun-2011 13:15:08.444 #8 0x584cf5 in isc__taskmgr_dispatch()+0x175
> 29-Jun-2011 13:15:08.444 #9 0x58741f in evloop()+0x9f
> 29-Jun-2011 13:15:08.444 #10 0x587677 in isc__app_ctxrun()+0x87
> 29-Jun-2011 13:15:08.444 #11 0x414184 in main()+0xbf4
> 29-Jun-2011 13:15:08.444 #12 0x7f0328b2deff in _fini()+0x7f03285971a7
> 29-Jun-2011 13:15:08.444 #13 0x404f49 in _start()+0x29
> 29-Jun-2011 13:15:08.444 exiting (due to assertion failure)
>
> (I restarted bind and after properly handling some queries...)
>
> 29-Jun-2011 13:42:04.510 client MY.HOME.IP#39962: response policy NSIP
> rewrite jouwstrandreis.com via jouwstrandreis.com NS db_find() faile
> d: failure
> 29-Jun-2011 13:42:04.516 client MY.HOME.IP#39962: response policy NSIP
> rewrite helevakantiegratis.com via helevakantiegratis.com NS db_find
> () failed: failure
> 29-Jun-2011 13:42:04.539 client MY.HOME.IP#39962: response policy NSIP
> rewrite nikefreesko.org via nikefreesko.org NS db_find() failed: fai
> lure
> 29-Jun-2011 13:42:04.540 client MY.HOME.IP#39962: response policy NSIP
> rewrite topreisgratis.com via topreisgratis.com NS db_find() failed:
>  failure
> 29-Jun-2011 13:42:04.576 DNS format error from 112.90.143.29#53
> resolving szxintian.com/A for client MY.HOME.IP#39962: reply has no
> answer
> 29-Jun-2011 13:42:04.585 DNS format error from 112.90.143.29#53
> resolving 231423423.com/A for client MY.HOME.IP#39962: reply has no
> answer
> 29-Jun-2011 13:42:04.597 DNS format error from 125.39.58.12#53
> resolving anlucn.com/A for client MY.HOME.IP#39962: reply has no
> answer
> 29-Jun-2011 13:42:04.724 DNS format error from 183.60.52.217#53
> resolving 231423423.com/NS for client MY.HOME.IP#39962: reply has no
> answer
> 29-Jun-2011 13:42:04.825 DNS format error from 183.60.52.217#53
> resolving 231423423.com/A for client MY.HOME.IP#39962: reply has no
> answer
> 29-Jun-2011 13:42:04.836 DNS format error from 122.225.217.191#53
> resolving szxintian.com/NS for client MY.HOME.IP#39962: reply has no
> answ
> er
> 29-Jun-2011 13:42:04.875 client MY.HOME.IP#39962: response policy NSIP
> rewrite best--buy.com via best--buy.com NS db_find() failed: failure
> 29-Jun-2011 13:42:04.891 DNS format error from 112.90.143.29#53
> resolving anlucn.com/A for client MY.HOME.IP#39962: reply has no
> answer29-Jun-2011 13:42:04.910 success resolving '163ebhk.com/NS' (in
> '163ebhk.COM'?) after reducing the advertised EDNS UDP packet size to
> 512 octet
> s
> 29-Jun-2011 13:42:04.956 success resolving 'vscos.com/A' (in
> 'vscos.COM'?) after reducing the advertised EDNS UDP packet size to
> 512 octets
> 29-Jun-2011 13:42:05.018 DNS format error from 112.90.143.29#53
> resolving 231423423.com/NS for client MY.HOME.IP#39962: reply has no
> answer29-Jun-2011 13:42:05.087 DNS format error from
> 122.225.217.191#53 resolving 231423423.com/A for client
> MY.HOME.IP#39962: reply has no answe
> r
> 29-Jun-2011 13:42:05.130 DNS format error from 112.90.143.29#53
> resolving szxintian.com/NS for client MY.HOME.IP#39962: reply has no
> answer29-Jun-2011 13:42:05.148 db.c:569: REQUIRE((((db) != ((void
> *)0)) && (((const isc__magic_t *)(db))->magic == ((('D') << 24 | ('N')
> << 16 | ('S'
> ) << 8 | ('D')))))) failed, back trace
> 29-Jun-2011 13:42:05.148 #0 0x412ff6 in assertion_failed()+0x46
> 29-Jun-2011 13:42:05.148 #1 0x56969a in isc_assertion_failed()+0xa
> 29-Jun-2011 13:42:05.148 #2 0x466d61 in dns_db_detachnode()+0x41
> 29-Jun-2011 13:42:05.148 #3 0x41c569 in query_find()+0x739
> 29-Jun-2011 13:42:05.148 #4 0x42282f in query_resume()+0x21f
> 29-Jun-2011 13:42:05.148 #5 0x584cf5 in isc__taskmgr_dispatch()+0x175
> 29-Jun-2011 13:42:05.148 #6 0x58741f in evloop()+0x9f
> 29-Jun-2011 13:42:05.148 #7 0x587677 in isc__app_ctxrun()+0x87
> 29-Jun-2011 13:42:05.148 #8 0x414184 in main()+0xbf4
> 29-Jun-2011 13:42:05.148 #9 0x7f3ddf9d2eff in _fini()+0x7f3ddf43c1a7
> 29-Jun-2011 13:42:05.148 #10 0x404f49 in _start()+0x29
> 29-Jun-2011 13:42:05.148 exiting (due to assertion failure)
>

More information about the DNSfirewalls mailing list