Bug #10823: named.conf "controls" section missing IPv6 localhost on IPv6 enabled PFsense - breaking rndc - pfSense Packages - pfSense bugtracker

Custom queries

Open package bugs
Package Feedback Issues

Actions

Copy link

Bug #10823

closed

named.conf "controls" section missing IPv6 localhost on IPv6 enabled PFsense - breaking rndc

Added by Dave Tickem over 3 years ago. Updated over 3 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Renato Botelho

Category:

BIND

Target version:

Start date:

08/09/2020

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Affected Version:

Affected Plus Version:

Affected Architecture:

All

Description

Generator for {/cf/named}/etc/namedb/named.conf needs updating to include ::1 as well as 127.0.0.1 on PFSense instances with IPv6 enabled.

Clean BIND installation - /etc/namedb/named.conf contains:

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

If the system has an IPv6 stack, then /etc/hosts has ::1 for localhost as well. RNDC will try to use this address, timeout and fail.

History
Notes
Property changes

Actions

Copy link

Updated by Dave Tickem over 3 years ago

Sorry, very poor bug. Category is BIND. Affected version is PFSENSE 2.4.5p1 and BIND 9.14_7.

Actions

Copy link

Updated by Jim Pingle over 3 years ago

Category set to BIND

Actions

Copy link

Updated by Viktor Gurov over 3 years ago

Status changed from New to Feedback

unable to reproduce, it uses 127.0.0.1 for server connections by default

from https://www.freebsd.org/cgi/man.cgi?query=rndc&apropos=0&sektion=0&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html:

 -s server
       server is the name or address of the    server which matches a server
       statement in    the configuration file for rndc. If no server is
       supplied on the command line, the host named    by the default-server
       clause in the options statement of the rndc configuration file will
       be used.

/cf/named/etc/namedb/rndc.conf:

key "rndc-key" {
    algorithm hmac-sha256;
    secret "AAAA/AAAAAAAAAAAAAAAAAAAAAAAAAA=";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 8953;
};

Actions

Copy link

Updated by Dave Tickem over 3 years ago

Agreed. Error on my part. Bug is wrong/bad/incorrect. Clean build :

[2.4.5-RELEASE][root@pfTest.home]/root: rndc sync
rndc: neither /usr/local/etc/namedb/rndc.conf nor /usr/local/etc/namedb/rndc.key was found

Have been using RNDC without specifying config file on the command line and expecting it to have been linked to / installed in the "built-in" location.

Fixed with

ln -s /cf/named/etc/namedb/rndc.conf /usr/local/etc/namedb/rndc.conf

Should this be in the package as standard so rndc can be used directly? Would be a feature request at best.

Sorry for time waste.

Actions

Copy link

Updated by Viktor Gurov over 3 years ago

Dave Tickem wrote:

Agreed. Error on my part. Bug is wrong/bad/incorrect. Clean build :

[...]

Have been using RNDC without specifying config file on the command line and expecting it to have been linked to / installed in the "built-in" location.

Fixed with

[...]

Should this be in the package as standard so rndc can be used directly? Would be a feature request at best.

Sorry for time waste.

But it should create /usr/local/etc/namedb/rndc.conf automatically:
https://github.com/pfsense/FreeBSD-ports/blob/cae5ee237cfabc90ea5ef4dfd480acfc9055e26f/dns/pfSense-pkg-bind/files/usr/local/pkg/bind.inc#L147

please show content of your /cf/named/etc/namedb/rndc.conf

Actions

Copy link

Updated by Dave Tickem over 3 years ago

Sure ! "/cf/named/etc/namedb/rndc.conf" - is created:

key "rndc-key" {
    algorithm hmac-sha256;
    secret "something/andosmethjingmore=";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 8953;
};

The binary of rndc (/usr/local/sbin/rndc) is pre-built to use a different rndc.conf !

[2.4.5-RELEASE][root@pftest.home]/root: strings /usr/local/sbin/rndc | fgrep rndc.conf

/usr/local/etc/namedb/rndc.conf

[2.4.5-RELEASE][root@pftest.home]/root:

So - a clean install of bind, running rndc with just a "status" argument results in an error:

[2.4.5-RELEASE][root@pftest.home]/root: rndc status

rndc: neither /usr/local/etc/namedb/rndc.conf nor /usr/local/etc/namedb/rndc.key was found

[2.4.5-RELEASE][root@pftest.home]/root: rndc -c /cf/named/etc/namedb/rndc.conf status

version: BIND 9.14.12 (Stable Release) <id:f3dc26e>
running on pftest.home: FreeBSD amd64 11.3-STABLE FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun  2 17:53:37 EDT 2020     root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense
boot time: Wed, 12 Aug 2020 07:06:40 GMT
last configured: Wed, 12 Aug 2020 07:06:41 GMT
configuration file: /etc/namedb/named.conf (/cf/named//etc/namedb/named.conf)
...
server is up and running

[2.4.5-RELEASE][root@pftest.home]/root:

Fundamentally, rndc is unaware of the configuration root "BIND_LOCALBASE" and thinks bind configuration is installed under "/".

[ work around is for me to not be lazy and use "-c" argument to rndc, or, create a symlink for rndc.conf ]

cheers!

Actions

Copy link