os-bind plugin - zones not added to named.conf

[Patrick M. Hausen]

Hi all,

does anyone know if secondary zones are supposed to work? In my installation they seem to be a no-op.
Just asking if I should file a bug report or if this is simply open for improvement.

Looking for tasks for Hacktoberfest, anyway 

Kind regards,
Patrick

[mimugmail]

I think fraenki is using Slave zones in production. Whats not working?

[Patrick M. Hausen]

Configured slave zone - please see attachment.

Zone is not in named.conf:

Code: [Select]

root@opnsense:/usr/local/etc/namedb # fgrep intern.punkt.de named.conf
root@opnsense:/usr/local/etc/namedb #

The Jinja template responsible for getting the zones into the config is:

Code: [Select]

{% if helpers.exists('OPNsense.bind.domain.domains.domain') %}
{%   for domain in helpers.toList('OPNsense.bind.domain.domains.domain') %}
{%     if domain.enabled == '1' %}
{%     set allow_transfer = helpers.getUUID(domain.allowtransfer) %}
{%     set allow_query = helpers.getUUID(domain.allowquery) %}
zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip }}; }; {% if domain.allownotifyslave != '' %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };
{%     endif %}
{%   endfor %}
{% endif %}

Looks like `{% if helpers.exists('OPNsense.bind.domain.domains.domain') %}` does not evaluate to true.

Kind regards,
Patrick

[Patrick M. Hausen]

Master zones don't make it into named.conf, either ...

[mimugmail]

You need an NS record ..

[Patrick M. Hausen]

Added and gets written to the zone file:

Code: [Select]

root@opnsense:/usr/local/etc/namedb # cat master/fritz.box.db
$TTL 86400
@       IN      SOA    opnsense.ettlingen.hausen.com. root.opnsense.ettlingen.hausen.com. ( 2009171350 21600 3600 3542400 3600 )
@                A 192.168.93.1
@                NS fritz.box.

But the zone does not get added to named.conf ...

[mimugmail]

named.conf please ...

[Patrick M. Hausen]

Code: [Select]

options {

        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

         listen-on port 53530 { 127.0.0.1; };
         listen-on-v6 port 53530 { ::1; };




        max-cache-size    80%;
        dnssec-validation    no;
};

key "rndc-key" {
        algorithm hmac-sha256;
        secret "*************************";
};
controls {
        inet 127.0.0.1 port 9530
                allow { 127.0.0.1; } keys { "rndc-key"; };
};

zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };

zone "localhost"        { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "0.ip6.arpa"       { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };




logging {
        channel default_log {
                file "/var/log/named/named.log" versions 3 size 5m;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

        channel query_log {
                file "/var/log/named/query.log" versions 3 size 5m;
                print-time yes;
        };

        channel rpz_log {
                file "/var/log/named/rpz.log" versions 3 size 5m;
                print-time yes;
        };

        category default { default_log; };
        category general { default_log; };
        category queries { query_log; };
        category rpz { rpz_log; };
        category lame-servers { null; };
};


[mimugmail]

Did you really hit save at the bottom and you are really on the latest version?

On my side it works with a fake domain:
zone "localhost"        { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "0.ip6.arpa"       { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };


zone "fink.de" { type master; file "/usr/local/etc/namedb/master/fink.de.db";  };


logging {
        channel default_log {
                file "/var/log/named/named.log" versions 3 size 7m;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

[Patrick M. Hausen]

I did hit save - tried a dozen times including reinstalling the plugin, even cleaning the bind config from the saved XML and reimporting, all that.

As for the version - I am running 2.7.2. How would I check and update plugins?

[mimugmail]

When you are on CLI, can you check the timestamp of the file after hitting save, and also check configd.log.

[Patrick M. Hausen]

File is not updated at all (no timestamp change) and this is logged:

Code: [Select]

Sep 17 17:22:11 opnsense configd.py[71064]: generate template container OPNsense/Bind
Sep 17 17:22:13 opnsense configd.py[71064]: [5622535e-1a63-4749-a349-3d1a66664ba4] Inline action failed with OPNsense/Bind OPNsense/Bind/named.conf 'collections.OrderedDict object' has no attribute 'allownotifyslave' at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/template.py", line 264, in _generate     content = j2_page.render(cnf_data)   File "/usr/local/lib/python3.7/site-packages/jinja2/asyncsupport.py", line 76, in render     return original_render(self, *args, **kwargs)   File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 1008, in render     return self.environment.handle_exception(exc_info, True)   File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 780, in handle_exception     reraise(exc_type, exc_value, tb)   File "/usr/local/lib/python3.7/site-packages/jinja2/_compat.py", line 37, in reraise     raise value.with_traceback(tb)   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Bind/named.conf", line 115, in top-level template code     zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip }}; }; {% if domain.allownotifyslave != '' %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };   File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 430, in getattr     return getattr(obj, attribute) jinja2.exceptions.UndefinedError: 'collections.OrderedDict object' has no attribute 'allownotifyslave'  During handling of the above exception, another exception occurred:  Traceback (most recent call last):   File "/usr/lo

This is the plugin version:

Code: [Select]

root@opnsense:/usr/local/etc/namedb # pkg info os-bind
os-bind-1.13
Name           : os-bind
Version        : 1.13
Installed on   : Thu Sep 17 09:34:19 2020 CEST


[mbalmer]

I noticed that when you add a slave zone and then disable and reenable bind, an empty /usr/local/etc/named/named.conf file gets created and named does not start anymore.

When I remove the slave zone again and disable / enable bind again, then a working named.conf file gets created.

So this could be an issue in the part of the plugin that creates the config file.  Beind new to opnSense, I don't yet know where to look for log files etc. so can only report for now...

[mbalmer]

I noticed that when you add a slave zone and then disable and reenable bind, an empty /usr/local/etc/named/named.conf file gets created and named does not start anymore.

When I remove the slave zone again and disable / enable bind again, then a working named.conf file gets created.

So this could be an issue in the part of the plugin that creates the config file.  Beind new to opnSense, I don't yet know where to look for log files etc. so can only report for now...

Well, at least it states clearly that zone management is still in an experimental state.