Messages

[update-policy { grant rndc-key zonesub ANY; };]

Sorry I then I did not explain myself properly.

I have a bunch of secondary configured in the BIND Plugin. If I make a change through the web interface, the named.conf file at /usr/local/etc/namedb/named.conf will be regenerated from the /usr/local/opnsense/service/templates/OPNsense/Bind/named.conf template.

/usr/local/bin/named does not allow updates on the secondary zone as they should be done to the primary zone. Hence named throws an error:

/usr/local/etc/namedb/named.conf:93: option 'update-policy' is not allowed in 'secondary' zone 'xx.xx.xx.in-addr.arpa'

In the secondary zone configuration block, 'update-policy' seems not to be allowed - this is a snippet from the generated name.conf file:

zone "xx.xx.xx.in-addr.arpa" {
        type secondary;
        primaries { yy.yy.yy.yy key "key.dyn.zz.zz.zz"; };
        file "/usr/local/etc/namedb/secondary/xx.xx.xx.in-addr.arpa.db";
        allow-transfer {
                ns_notify;
        };
        allow-query {
                ns_query;
        };
        update-policy {
                grant rndc-key zonesub ANY;
        };
};

Here is the patch that fixes it:

Y@Z:/usr/local/opnsense/service/templates/OPNsense/Bind % diff named.conf.org named.conf
183c183
< {%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" %}
---
> {%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" and domain.type != 'secondary' %}

I'll create an issue for this bug.

https://github.com/opnsense/plugins/issues/3874

Thanks,

- Brendan

I've updated to OPNsense 24.1.4-amd64 yesterday.

My firewalls run a secondary zone to ensure that when they lose connectivity, names are still resolving.

When I update the zone file through the GUI named stops working with the following error:

[root@casa /var/log/system]# service named start
/usr/local/etc/namedb/named.conf:61: option 'update-policy' is not allowed in 'secondary' zone 'xxxxxx.xxx'

Any solution for this?

Thanks,

- Brendan

I just had another crash. I'm considering downgrading at the end of our workday. As a workaround, I've disabled unbound and enabled Dnsmasq to do the DNS resolving.

Interfaces setting was set to 'All' but that setting does not seem to be available anymore and I've enabled all interfaces manually. 

Same here, I've upgraded to 20.7.7 to get IPv6 prefix delegation working again, however, unbound crashed twice since I've upgraded:

Code Select Expand

root@fw:~ # dmesg | grep unbound
pid 85049 (unbound), jid 0, uid 59: exited on signal 11


Here is my unbound config:

Code Select Expand

  <unbound>
    <enable>1</enable>
    <custom_options/>
    <regdhcp>1</regdhcp>
    <cache_max_ttl/>
    <cache_min_ttl/>
    <incoming_num_tcp>10</incoming_num_tcp>
    <infra_cache_numhosts>10000</infra_cache_numhosts>
    <infra_host_ttl>900</infra_host_ttl>
    <jostle_timeout>200</jostle_timeout>
    <log_verbosity>1</log_verbosity>
    <msgcachesize>4</msgcachesize>
    <num_queries_per_thread>4096</num_queries_per_thread>
    <outgoing_num_tcp>10</outgoing_num_tcp>
    <unwanted_reply_threshold/>
    <hosts>
      <host>******</host>
      <domain>*********</domain>
      <rr>A</rr>
      <ip>***********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
      <host>******</host>
      <domain>*********</domain>
      <rr>A</rr>
      <ip>**********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
      <host>******</host>
      <domain>**********</domain>
      <rr>A</rr>
      <ip>**********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
      <host>******</host>
      <domain>*********</domain>
      <rr>A</rr>
      <ip>**********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <regdhcpstatic>1</regdhcpstatic>
  </unbound>