OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of brendanbank »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - brendanbank

Pages: [1]
1
24.1 Legacy Series / Re: bind plugin: 'update-policy' is not allowed in 'secondary' zone
« on: March 27, 2024, 07:51:05 am »
Sorry I then I did not explain myself properly.

I have a bunch of secondary configured in the BIND Plugin. If I make a change through the web interface, the named.conf file at /usr/local/etc/namedb/named.conf will be regenerated from the /usr/local/opnsense/service/templates/OPNsense/Bind/named.conf template.

/usr/local/bin/named does not allow updates on the secondary zone as they should be done to the primary zone. Hence named throws an error:
/usr/local/etc/namedb/named.conf:93: option 'update-policy' is not allowed in 'secondary' zone 'xx.xx.xx.in-addr.arpa'

In the secondary zone configuration block, 'update-policy' seems not to be allowed - this is a snippet from the generated name.conf file:

zone "xx.xx.xx.in-addr.arpa" {
        type secondary;
        primaries { yy.yy.yy.yy key "key.dyn.zz.zz.zz"; };
        file "/usr/local/etc/namedb/secondary/xx.xx.xx.in-addr.arpa.db";
        allow-transfer {
                ns_notify;
        };
        allow-query {
                ns_query;
        };
        update-policy {
                grant rndc-key zonesub ANY;
        };
};


Here is the patch that fixes it:

Y@Z:/usr/local/opnsense/service/templates/OPNsense/Bind % diff named.conf.org named.conf
183c183
< {%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" %}
---
> {%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" and domain.type != 'secondary' %}


I'll create an issue for this bug.

https://github.com/opnsense/plugins/issues/3874

Thanks,

 - Brendan

2
24.1 Legacy Series / bind plugin: 'update-policy' is not allowed in 'secondary' zone
« on: March 26, 2024, 09:55:27 pm »
I've updated to OPNsense 24.1.4-amd64 yesterday.

My firewalls run a secondary zone to ensure that when they lose connectivity, names are still resolving.

When I update the zone file through the GUI named stops working with the following error:
[root@casa /var/log/system]# service named start
/usr/local/etc/namedb/named.conf:61: option 'update-policy' is not allowed in 'secondary' zone 'xxxxxx.xxx'


Any solution for this?

Thanks,

 - Brendan

3
20.7 Legacy Series / Re: Unbound service routinely stopping/crashing following 20.7.7 update
« on: December 18, 2020, 03:04:28 pm »
I just had another crash. I'm considering downgrading at the end of our workday. As a workaround, I've disabled unbound and enabled Dnsmasq to do the DNS resolving.

4
20.7 Legacy Series / Re: Unbound service routinely stopping/crashing following 20.7.7 update
« on: December 18, 2020, 12:10:48 pm »
Interfaces setting was set to 'All' but that setting does not seem to be available anymore and I've enabled all interfaces manually. 

5
20.7 Legacy Series / Re: Unbound service routinely stopping/crashing following 20.7.7 update
« on: December 18, 2020, 12:07:53 pm »
Same here, I've upgraded to 20.7.7 to get IPv6 prefix delegation working again, however, unbound crashed twice since I've upgraded:

Code: [Select]
root@fw:~ # dmesg | grep unbound
pid 85049 (unbound), jid 0, uid 59: exited on signal 11

Here is my unbound config:

Code: [Select]
  <unbound>
    <enable>1</enable>
    <custom_options/>
    <regdhcp>1</regdhcp>
    <cache_max_ttl/>
    <cache_min_ttl/>
    <incoming_num_tcp>10</incoming_num_tcp>
    <infra_cache_numhosts>10000</infra_cache_numhosts>
    <infra_host_ttl>900</infra_host_ttl>
    <jostle_timeout>200</jostle_timeout>
    <log_verbosity>1</log_verbosity>
    <msgcachesize>4</msgcachesize>
    <num_queries_per_thread>4096</num_queries_per_thread>
    <outgoing_num_tcp>10</outgoing_num_tcp>
    <unwanted_reply_threshold/>
    <hosts>
      <host>******</host>
      <domain>*********</domain>
      <rr>A</rr>
      <ip>***********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
      <host>******</host>
      <domain>*********</domain>
      <rr>A</rr>
      <ip>**********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
      <host>******</host>
      <domain>**********</domain>
      <rr>A</rr>
      <ip>**********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
      <host>******</host>
      <domain>*********</domain>
      <rr>A</rr>
      <ip>**********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <regdhcpstatic>1</regdhcpstatic>
  </unbound>

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2