os-bind not starting, failing to configure acl properly in named.conf

Started by mikebutash, April 20, 2023, 11:29:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 20, 2023, 11:29:09 PM
Hi, new user to opnsense, but everything has been great, but found an odd bug today in the bind package I have to work around for now.  I did just install after upgrade to 23.1.6 today, and os-bind package 1.26_3.

I setup bind with ACL's in use for query/recursion/transfer with my new setup replicating what I have from my prior setup, and bind would not start.  I had to reverse engineer a bit how opnsense starts it to try manually, and found it was missing a configuration bit, so the startup was failing to start.

Code Select
# /usr/local/etc/rc.d/named start
/usr/local/etc/namedb/named.conf:26: expected IP match list element near ';'
/usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed

Sure enough, it was missing filling in the allow-query, or rather filling it in badly!

Code Select
options {

        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

        listen-on port 53530 { 127.0.0.1; };
        listen-on-v6 port 53530 { ::; };
        forwarders    { 127.0.0.1; };

        recursion          yes;
        allow-recursion {
                Trust_Local;
        };

        allow-transfer {
                HomeServices1;
        };

        allow-query {
                ;  # <<<<<<<<  wtf
        };

        max-cache-size    80%;
        dnssec-validation    no;
};

It leaves allow-query just the semicolon there with no acl and breaks it (it DOES have a value in the gui).  Manually adding the proper acl lets it start then from the gui or manually, but every change resets and breaks it again.  Good enough for now, but annoying when I'm still adding host entries and updating this right now to manually fix the config each time.

Please fix?  Otherwise this is working awesome and appreciate all this work! I was a bit annoyed I didn't have domain options directly in unbound under opnsense, but this works out well enough linking bind behind unbound too, assuming it starts correctly.
April 21, 2023, 12:05:11 AM #1
Bug in the part of the code responsible for `allow-query`. Already fixed in main, hotfix due tomorrow. In the meantime just leave `allow-query` empty. There's most probably no harm in that with proper firewall rules in place.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 21, 2023, 08:17:28 AM #2
Hotfix was published for it.


Cheers,
Franco
April 26, 2023, 08:27:35 PM #3
Just ran into this issue last night.  This thread just saved me steps of submitting a bug report.  Thank you all for addressing it in the forum so efficiently.
April 27, 2023, 05:29:32 AM #4
The patch is almost there.  I just tested out the new patch and it works but only if you select one ACL.  If you select multiple ACLs, it fails like before.
April 27, 2023, 08:49:45 AM #5
Ah ok, more patches welcome indeed :)


Thanks,
Franco
Print
Go Up Pages1
User actions