Hi all,
does anyone know if secondary zones are supposed to work? In my installation they seem to be a no-op.
Just asking if I should file a bug report or if this is simply open for improvement.
Looking for tasks for Hacktoberfest, anyway ;)
Kind regards,
Patrick
I think fraenki is using Slave zones in production. Whats not working?
Configured slave zone - please see attachment.
Zone is not in named.conf:
root@opnsense:/usr/local/etc/namedb # fgrep intern.punkt.de named.conf
root@opnsense:/usr/local/etc/namedb #
The Jinja template responsible for getting the zones into the config is:
{% if helpers.exists('OPNsense.bind.domain.domains.domain') %}
{% for domain in helpers.toList('OPNsense.bind.domain.domains.domain') %}
{% if domain.enabled == '1' %}
{% set allow_transfer = helpers.getUUID(domain.allowtransfer) %}
{% set allow_query = helpers.getUUID(domain.allowquery) %}
zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip }}; }; {% if domain.allownotifyslave != '' %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };
{% endif %}
{% endfor %}
{% endif %}
Looks like `{% if helpers.exists('OPNsense.bind.domain.domains.domain') %}` does not evaluate to true.
Kind regards,
Patrick
Master zones don't make it into named.conf, either ...
You need an NS record ..
Added and gets written to the zone file:
root@opnsense:/usr/local/etc/namedb # cat master/fritz.box.db
$TTL 86400
@ IN SOA opnsense.ettlingen.hausen.com. root.opnsense.ettlingen.hausen.com. ( 2009171350 21600 3600 3542400 3600 )
@ A 192.168.93.1
@ NS fritz.box.
But the zone does not get added to named.conf ...
named.conf please ...
options {
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on port 53530 { 127.0.0.1; };
listen-on-v6 port 53530 { ::1; };
max-cache-size 80%;
dnssec-validation no;
};
key "rndc-key" {
algorithm hmac-sha256;
secret "*************************";
};
controls {
inet 127.0.0.1 port 9530
allow { 127.0.0.1; } keys { "rndc-key"; };
};
zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
zone "localhost" { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "0.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
logging {
channel default_log {
file "/var/log/named/named.log" versions 3 size 5m;
print-time yes;
print-severity yes;
print-category yes;
};
channel query_log {
file "/var/log/named/query.log" versions 3 size 5m;
print-time yes;
};
channel rpz_log {
file "/var/log/named/rpz.log" versions 3 size 5m;
print-time yes;
};
category default { default_log; };
category general { default_log; };
category queries { query_log; };
category rpz { rpz_log; };
category lame-servers { null; };
};
Did you really hit save at the bottom and you are really on the latest version?
On my side it works with a fake domain:
zone "localhost" { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "0.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "fink.de" { type master; file "/usr/local/etc/namedb/master/fink.de.db"; };
logging {
channel default_log {
file "/var/log/named/named.log" versions 3 size 7m;
print-time yes;
print-severity yes;
print-category yes;
};
I did hit save - tried a dozen times including reinstalling the plugin, even cleaning the bind config from the saved XML and reimporting, all that.
As for the version - I am running 2.7.2. How would I check and update plugins?
When you are on CLI, can you check the timestamp of the file after hitting save, and also check configd.log.
File is not updated at all (no timestamp change) and this is logged:
Sep 17 17:22:11 opnsense configd.py[71064]: generate template container OPNsense/Bind
Sep 17 17:22:13 opnsense configd.py[71064]: [5622535e-1a63-4749-a349-3d1a66664ba4] Inline action failed with OPNsense/Bind OPNsense/Bind/named.conf 'collections.OrderedDict object' has no attribute 'allownotifyslave' at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/template.py", line 264, in _generate content = j2_page.render(cnf_data) File "/usr/local/lib/python3.7/site-packages/jinja2/asyncsupport.py", line 76, in render return original_render(self, *args, **kwargs) File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 1008, in render return self.environment.handle_exception(exc_info, True) File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 780, in handle_exception reraise(exc_type, exc_value, tb) File "/usr/local/lib/python3.7/site-packages/jinja2/_compat.py", line 37, in reraise raise value.with_traceback(tb) File "/usr/local/opnsense/service/modules/../templates/OPNsense/Bind/named.conf", line 115, in top-level template code zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip }}; }; {% if domain.allownotifyslave != '' %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} }; File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 430, in getattr return getattr(obj, attribute) jinja2.exceptions.UndefinedError: 'collections.OrderedDict object' has no attribute 'allownotifyslave' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lo
This is the plugin version:
root@opnsense:/usr/local/etc/namedb # pkg info os-bind
os-bind-1.13
Name : os-bind
Version : 1.13
Installed on : Thu Sep 17 09:34:19 2020 CEST
I noticed that when you add a slave zone and then disable and reenable bind, an empty /usr/local/etc/named/named.conf file gets created and named does not start anymore.
When I remove the slave zone again and disable / enable bind again, then a working named.conf file gets created.
So this could be an issue in the part of the plugin that creates the config file. Beind new to opnSense, I don't yet know where to look for log files etc. so can only report for now...
Quote from: mbalmer on December 02, 2020, 09:01:18 AM
I noticed that when you add a slave zone and then disable and reenable bind, an empty /usr/local/etc/named/named.conf file gets created and named does not start anymore.
When I remove the slave zone again and disable / enable bind again, then a working named.conf file gets created.
So this could be an issue in the part of the plugin that creates the config file. Beind new to opnSense, I don't yet know where to look for log files etc. so can only report for now...
Well, at least it states clearly that zone management is still in an experimental state.