I've updated to OPNsense 24.1.4-amd64 yesterday.
My firewalls run a secondary zone to ensure that when they lose connectivity, names are still resolving.
When I update the zone file through the GUI named stops working with the following error:
[root@casa /var/log/system]# service named start
/usr/local/etc/namedb/named.conf:61: option 'update-policy' is not allowed in 'secondary' zone 'xxxxxx.xxx'
Any solution for this?
Thanks,
- Brendan
What do you mean by update the zone file? You cannot locally update a secondary zone.
Sorry I then I did not explain myself properly.
I have a bunch of secondary configured in the BIND Plugin. If I make a change through the web interface, the named.conf file at /usr/local/etc/namedb/named.conf will be regenerated from the /usr/local/opnsense/service/templates/OPNsense/Bind/named.conf template.
/usr/local/bin/named does not allow updates on the secondary zone as they should be done to the primary zone. Hence named throws an error:
/usr/local/etc/namedb/named.conf:93: option 'update-policy' is not allowed in 'secondary' zone 'xx.xx.xx.in-addr.arpa'
In the secondary zone configuration block, 'update-policy' seems not to be allowed - this is a snippet from the generated name.conf file:
zone "xx.xx.xx.in-addr.arpa" {
type secondary;
primaries { yy.yy.yy.yy key "key.dyn.zz.zz.zz"; };
file "/usr/local/etc/namedb/secondary/xx.xx.xx.in-addr.arpa.db";
allow-transfer {
ns_notify;
};
allow-query {
ns_query;
};
update-policy {
grant rndc-key zonesub ANY;
};
};
Here is the patch that fixes it:
Y@Z:/usr/local/opnsense/service/templates/OPNsense/Bind % diff named.conf.org named.conf
183c183
< {% if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" %}
---
> {% if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" and domain.type != 'secondary' %}
I'll create an issue for this bug.
https://github.com/opnsense/plugins/issues/3874
Thanks,
- Brendan
Quote from: brendanbank on March 27, 2024, 07:51:05 AM
/usr/local/bin/named does not allow updates on the secondary zone as they should be done to the primary zone.
So what are you trying to do, how are updates in a secondary flowing back to primary ? As Patrick M. Hausen already mentioned, you don't update secondaries, you update primaries, notify the secondary and do an AXFR/IXFR.
Dynamic update is a method for adding, replacing, or deleting records in a primary server by sending it a special form of DNS messages. The format and meaning of these messages is specified in RFC 2136.https://bind9.readthedocs.io/en/stable/chapter6.html#dynamic-update
It simply appears to be a bug in the template generation for the latest feature addition and it's already been fixed by brendanbank.