Project

General

Profile

Bug #10823

named.conf "controls" section missing IPv6 localhost on IPv6 enabled PFsense - breaking rndc

Added by Dave Tickem about 1 month ago. Updated 27 days ago.

Status:
Resolved
Priority:
Normal
Category:
BIND
Target version:
-
Start date:
08/09/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
Affected Architecture:
All

Description

Generator for {/cf/named}/etc/namedb/named.conf needs updating to include ::1 as well as 127.0.0.1 on PFSense instances with IPv6 enabled.

Clean BIND installation - /etc/namedb/named.conf contains:

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

If the system has an IPv6 stack, then /etc/hosts has ::1 for localhost as well. RNDC will try to use this address, timeout and fail.

History

#1 Updated by Dave Tickem about 1 month ago

Sorry, very poor bug. Category is BIND. Affected version is PFSENSE 2.4.5p1 and BIND 9.14_7.

#2 Updated by Jim Pingle about 1 month ago

  • Category set to BIND

#3 Updated by Viktor Gurov about 1 month ago

  • Status changed from New to Feedback

unable to reproduce, it uses 127.0.0.1 for server connections by default

from https://www.freebsd.org/cgi/man.cgi?query=rndc&apropos=0&sektion=0&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html:

 -s server
       server is the name or address of the    server which matches a server
       statement in    the configuration file for rndc. If no server is
       supplied on the command line, the host named    by the default-server
       clause in the options statement of the rndc configuration file will
       be used.

/cf/named/etc/namedb/rndc.conf:

key "rndc-key" {
    algorithm hmac-sha256;
    secret "AAAA/AAAAAAAAAAAAAAAAAAAAAAAAAA=";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 8953;
};

#4 Updated by Dave Tickem about 1 month ago

Agreed. Error on my part. Bug is wrong/bad/incorrect. Clean build :

[2.4.5-RELEASE][root@pfTest.home]/root: rndc sync
rndc: neither /usr/local/etc/namedb/rndc.conf nor /usr/local/etc/namedb/rndc.key was found

Have been using RNDC without specifying config file on the command line and expecting it to have been linked to / installed in the "built-in" location.

Fixed with

ln -s /cf/named/etc/namedb/rndc.conf /usr/local/etc/namedb/rndc.conf

Should this be in the package as standard so rndc can be used directly? Would be a feature request at best.

Sorry for time waste.

#5 Updated by Viktor Gurov about 1 month ago

Dave Tickem wrote:

Agreed. Error on my part. Bug is wrong/bad/incorrect. Clean build :

[...]

Have been using RNDC without specifying config file on the command line and expecting it to have been linked to / installed in the "built-in" location.

Fixed with

[...]

Should this be in the package as standard so rndc can be used directly? Would be a feature request at best.

Sorry for time waste.

But it should create /usr/local/etc/namedb/rndc.conf automatically:
https://github.com/pfsense/FreeBSD-ports/blob/cae5ee237cfabc90ea5ef4dfd480acfc9055e26f/dns/pfSense-pkg-bind/files/usr/local/pkg/bind.inc#L147

please show content of your /cf/named/etc/namedb/rndc.conf

#6 Updated by Dave Tickem about 1 month ago

Sure ! "/cf/named/etc/namedb/rndc.conf" - is created:

key "rndc-key" {
    algorithm hmac-sha256;
    secret "something/andosmethjingmore=";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 8953;
};

The binary of rndc (/usr/local/sbin/rndc) is pre-built to use a different rndc.conf !

[2.4.5-RELEASE][root@pftest.home]/root: strings /usr/local/sbin/rndc | fgrep rndc.conf

/usr/local/etc/namedb/rndc.conf

[2.4.5-RELEASE][root@pftest.home]/root:

So - a clean install of bind, running rndc with just a "status" argument results in an error:

[2.4.5-RELEASE][root@pftest.home]/root: rndc status

rndc: neither /usr/local/etc/namedb/rndc.conf nor /usr/local/etc/namedb/rndc.key was found

[2.4.5-RELEASE][root@pftest.home]/root: rndc -c /cf/named/etc/namedb/rndc.conf status

version: BIND 9.14.12 (Stable Release) <id:f3dc26e>
running on pftest.home: FreeBSD amd64 11.3-STABLE FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun  2 17:53:37 EDT 2020     root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense
boot time: Wed, 12 Aug 2020 07:06:40 GMT
last configured: Wed, 12 Aug 2020 07:06:41 GMT
configuration file: /etc/namedb/named.conf (/cf/named//etc/namedb/named.conf)
...
server is up and running

[2.4.5-RELEASE][root@pftest.home]/root: 

Fundamentally, rndc is unaware of the configuration root "BIND_LOCALBASE" and thinks bind configuration is installed under "/".

[ work around is for me to not be lazy and use "-c" argument to rndc, or, create a symlink for rndc.conf ]

cheers!

#8 Updated by Dave Tickem about 1 month ago

Viktor Gurov wrote:

Fix:
https://github.com/pfsense/FreeBSD-ports/pull/918

Tested, manually updating bind.inc - fix works.

Thanks!

:-)

#9 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Pull Request Review

#10 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#11 Updated by Dave Tickem 27 days ago

Renato Botelho wrote:

PR has been merged. Thanks!

Updated to bind 9.14_8, which includes this fix - works as required.

Great fix - thanks!

#12 Updated by Jim Pingle 27 days ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF