Bug #10823
closednamed.conf "controls" section missing IPv6 localhost on IPv6 enabled PFsense - breaking rndc
100%
Description
Generator for {/cf/named}/etc/namedb/named.conf needs updating to include ::1 as well as 127.0.0.1 on PFSense instances with IPv6 enabled.
Clean BIND installation - /etc/namedb/named.conf contains:
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
If the system has an IPv6 stack, then /etc/hosts has ::1 for localhost as well. RNDC will try to use this address, timeout and fail.
Updated by Dave Tickem over 4 years ago
Sorry, very poor bug. Category is BIND. Affected version is PFSENSE 2.4.5p1 and BIND 9.14_7.
Updated by Viktor Gurov over 4 years ago
- Status changed from New to Feedback
unable to reproduce, it uses 127.0.0.1 for server connections by default
-s server server is the name or address of the server which matches a server statement in the configuration file for rndc. If no server is supplied on the command line, the host named by the default-server clause in the options statement of the rndc configuration file will be used.
/cf/named/etc/namedb/rndc.conf:
key "rndc-key" { algorithm hmac-sha256; secret "AAAA/AAAAAAAAAAAAAAAAAAAAAAAAAA="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 8953; };
Updated by Dave Tickem over 4 years ago
Agreed. Error on my part. Bug is wrong/bad/incorrect. Clean build :
[2.4.5-RELEASE][root@pfTest.home]/root: rndc sync rndc: neither /usr/local/etc/namedb/rndc.conf nor /usr/local/etc/namedb/rndc.key was found
Have been using RNDC without specifying config file on the command line and expecting it to have been linked to / installed in the "built-in" location.
Fixed with
ln -s /cf/named/etc/namedb/rndc.conf /usr/local/etc/namedb/rndc.conf
Should this be in the package as standard so rndc can be used directly? Would be a feature request at best.
Sorry for time waste.
Updated by Viktor Gurov over 4 years ago
Dave Tickem wrote:
Agreed. Error on my part. Bug is wrong/bad/incorrect. Clean build :
[...]
Have been using RNDC without specifying config file on the command line and expecting it to have been linked to / installed in the "built-in" location.
Fixed with
[...]
Should this be in the package as standard so rndc can be used directly? Would be a feature request at best.
Sorry for time waste.
But it should create /usr/local/etc/namedb/rndc.conf automatically:
https://github.com/pfsense/FreeBSD-ports/blob/cae5ee237cfabc90ea5ef4dfd480acfc9055e26f/dns/pfSense-pkg-bind/files/usr/local/pkg/bind.inc#L147
please show content of your /cf/named/etc/namedb/rndc.conf
Updated by Dave Tickem over 4 years ago
Sure ! "/cf/named/etc/namedb/rndc.conf" - is created:
key "rndc-key" { algorithm hmac-sha256; secret "something/andosmethjingmore="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 8953; };
The binary of rndc (/usr/local/sbin/rndc) is pre-built to use a different rndc.conf !
[2.4.5-RELEASE][root@pftest.home]/root: strings /usr/local/sbin/rndc | fgrep rndc.conf /usr/local/etc/namedb/rndc.conf [2.4.5-RELEASE][root@pftest.home]/root:
So - a clean install of bind, running rndc with just a "status" argument results in an error:
[2.4.5-RELEASE][root@pftest.home]/root: rndc status rndc: neither /usr/local/etc/namedb/rndc.conf nor /usr/local/etc/namedb/rndc.key was found [2.4.5-RELEASE][root@pftest.home]/root: rndc -c /cf/named/etc/namedb/rndc.conf status version: BIND 9.14.12 (Stable Release) <id:f3dc26e> running on pftest.home: FreeBSD amd64 11.3-STABLE FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun 2 17:53:37 EDT 2020 root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense boot time: Wed, 12 Aug 2020 07:06:40 GMT last configured: Wed, 12 Aug 2020 07:06:41 GMT configuration file: /etc/namedb/named.conf (/cf/named//etc/namedb/named.conf) ... server is up and running [2.4.5-RELEASE][root@pftest.home]/root:
Fundamentally, rndc is unaware of the configuration root "BIND_LOCALBASE" and thinks bind configuration is installed under "/".
[ work around is for me to not be lazy and use "-c" argument to rndc, or, create a symlink for rndc.conf ]
cheers!
Updated by Viktor Gurov over 4 years ago
Updated by Dave Tickem over 4 years ago
Viktor Gurov wrote:
Tested, manually updating bind.inc - fix works.
Thanks!
:-)
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Dave Tickem about 4 years ago
Renato Botelho wrote:
PR has been merged. Thanks!
Updated to bind 9.14_8, which includes this fix - works as required.
Great fix - thanks!
Updated by Jim Pingle about 4 years ago
- Status changed from Feedback to Resolved