os-bind plugin - zones not added to named.conf

Started by Patrick M. Hausen, September 16, 2020, 10:30:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 16, 2020, 10:30:43 PM Last Edit: September 17, 2020, 04:49:45 PM by pmhausen
Hi all,

does anyone know if secondary zones are supposed to work? In my installation they seem to be a no-op.
Just asking if I should file a bug report or if this is simply open for improvement.

Looking for tasks for Hacktoberfest, anyway  ;)

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 17, 2020, 05:56:57 AM #1
I think fraenki is using Slave zones in production. Whats not working?
September 17, 2020, 09:46:03 AM #2
Configured slave zone - please see attachment.

Zone is not in named.conf:
Code Select

root@opnsense:/usr/local/etc/namedb # fgrep intern.punkt.de named.conf
root@opnsense:/usr/local/etc/namedb #


The Jinja template responsible for getting the zones into the config is:
Code Select

{% if helpers.exists('OPNsense.bind.domain.domains.domain') %}
{%   for domain in helpers.toList('OPNsense.bind.domain.domains.domain') %}
{%     if domain.enabled == '1' %}
{%     set allow_transfer = helpers.getUUID(domain.allowtransfer) %}
{%     set allow_query = helpers.getUUID(domain.allowquery) %}
zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip }}; }; {% if domain.allownotifyslave != '' %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };
{%     endif %}
{%   endfor %}
{% endif %}


Looks like `{% if helpers.exists('OPNsense.bind.domain.domains.domain') %}` does not evaluate to true.

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 17, 2020, 10:44:02 AM #3
Master zones don't make it into named.conf, either ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 17, 2020, 10:58:47 AM #4
You need an NS record ..
September 17, 2020, 01:52:06 PM #5
Added and gets written to the zone file:
Code Select

root@opnsense:/usr/local/etc/namedb # cat master/fritz.box.db
$TTL 86400
@       IN      SOA    opnsense.ettlingen.hausen.com. root.opnsense.ettlingen.hausen.com. ( 2009171350 21600 3600 3542400 3600 )
@                A 192.168.93.1
@                NS fritz.box.


But the zone does not get added to named.conf ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 17, 2020, 01:58:57 PM #6
named.conf please ...
September 17, 2020, 04:50:28 PM #7
Code Select

options {

        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

         listen-on port 53530 { 127.0.0.1; };
         listen-on-v6 port 53530 { ::1; };




        max-cache-size    80%;
        dnssec-validation    no;
};

key "rndc-key" {
        algorithm hmac-sha256;
        secret "*************************";
};
controls {
        inet 127.0.0.1 port 9530
                allow { 127.0.0.1; } keys { "rndc-key"; };
};

zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };

zone "localhost"        { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "0.ip6.arpa"       { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };




logging {
        channel default_log {
                file "/var/log/named/named.log" versions 3 size 5m;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

        channel query_log {
                file "/var/log/named/query.log" versions 3 size 5m;
                print-time yes;
        };

        channel rpz_log {
                file "/var/log/named/rpz.log" versions 3 size 5m;
                print-time yes;
        };

        category default { default_log; };
        category general { default_log; };
        category queries { query_log; };
        category rpz { rpz_log; };
        category lame-servers { null; };
};
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 17, 2020, 04:54:18 PM #8
Did you really hit save at the bottom and you are really on the latest version?

On my side it works with a fake domain:
zone "localhost"        { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "0.ip6.arpa"       { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };


zone "fink.de" { type master; file "/usr/local/etc/namedb/master/fink.de.db";  };


logging {
        channel default_log {
                file "/var/log/named/named.log" versions 3 size 7m;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
September 17, 2020, 05:03:41 PM #9
I did hit save - tried a dozen times including reinstalling the plugin, even cleaning the bind config from the saved XML and reimporting, all that.

As for the version - I am running 2.7.2. How would I check and update plugins?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 17, 2020, 05:06:03 PM #10
When you are on CLI, can you check the timestamp of the file after hitting save, and also check configd.log.
September 17, 2020, 05:56:08 PM #11
File is not updated at all (no timestamp change) and this is logged:
Code Select

Sep 17 17:22:11 opnsense configd.py[71064]: generate template container OPNsense/Bind
Sep 17 17:22:13 opnsense configd.py[71064]: [5622535e-1a63-4749-a349-3d1a66664ba4] Inline action failed with OPNsense/Bind OPNsense/Bind/named.conf 'collections.OrderedDict object' has no attribute 'allownotifyslave' at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/template.py", line 264, in _generate     content = j2_page.render(cnf_data)   File "/usr/local/lib/python3.7/site-packages/jinja2/asyncsupport.py", line 76, in render     return original_render(self, *args, **kwargs)   File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 1008, in render     return self.environment.handle_exception(exc_info, True)   File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 780, in handle_exception     reraise(exc_type, exc_value, tb)   File "/usr/local/lib/python3.7/site-packages/jinja2/_compat.py", line 37, in reraise     raise value.with_traceback(tb)   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Bind/named.conf", line 115, in top-level template code     zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip }}; }; {% if domain.allownotifyslave != '' %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };   File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 430, in getattr     return getattr(obj, attribute) jinja2.exceptions.UndefinedError: 'collections.OrderedDict object' has no attribute 'allownotifyslave'  During handling of the above exception, another exception occurred:  Traceback (most recent call last):   File "/usr/lo


This is the plugin version:
Code Select

root@opnsense:/usr/local/etc/namedb # pkg info os-bind
os-bind-1.13
Name           : os-bind
Version        : 1.13
Installed on   : Thu Sep 17 09:34:19 2020 CEST
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 02, 2020, 09:01:18 AM #12
I noticed that when you add a slave zone and then disable and reenable bind, an empty /usr/local/etc/named/named.conf file gets created and named does not start anymore.

When I remove the slave zone again and disable / enable bind again, then a working named.conf file gets created.

So this could be an issue in the part of the plugin that creates the config file.  Beind new to opnSense, I don't yet know where to look for log files etc. so can only report for now...
December 02, 2020, 09:03:42 AM #13
Quote from: mbalmer on December 02, 2020, 09:01:18 AM
I noticed that when you add a slave zone and then disable and reenable bind, an empty /usr/local/etc/named/named.conf file gets created and named does not start anymore.

When I remove the slave zone again and disable / enable bind again, then a working named.conf file gets created.

So this could be an issue in the part of the plugin that creates the config file.  Beind new to opnSense, I don't yet know where to look for log files etc. so can only report for now...

Well, at least it states clearly that zone management is still in an experimental state.
Print
Go Up Pages1
User actions