23.7 upgrade from 23.1 results in DNS issues

[CJ]

Seems like a pretty significant bug if multiple users have seen it happen  ;D

Depends on the scale.  Was it handful of users in a group of 10 or handful of users in a group of 100000?

With mic's help we now have a POC:

https://github.com/opnsense/core/pull/6844

I don't want to advertise it too much though. It needs to be discussed internally first and not everyone is at the office at the moment.

Just to clarify for my own edification, the issue is that there are interfaces that had been added to the access list but disabled and that's what causes the Unbound failures?  I'm not familiar enough with the inner workings of OPNSense to tell what's going on from the discussion and commit.

[franco]

The way this was designed was that interfaces were added to the list, but if you deleted them in the interfaces section they ended up as "garbage" entries in the unbound configuration. These are not problematic per se, but once moved to MVC the data models will realize that one interface is not a valid option and prevent setting it in the config. Unfortunately this also affects data migration from one configuration location to the next, which was carried out in 23.7 also moving the path of the "enable" flag of unbound ending up unbound not being enabled because data could not be migrated.

This was all done in the spirit of providing a full API for Unbound, which wasn't the case before.

I've spent more time on this for discarding invalid values on migration and 23.7.5 will have all the fixes. The main commit is https://github.com/opnsense/core/commit/6898bc883 but don't try to opnsense-patch this individually. The topic is a bit more complex than hoped for and other changes in the area were required as well.


Cheers,
Franco

[CJ]

The way this was designed was that interfaces were added to the list, but if you deleted them in the interfaces section they ended up as "garbage" entries in the unbound configuration. These are not problematic per se, but once moved to MVC the data models will realize that one interface is not a valid option and prevent setting it in the config. Unfortunately this also affects data migration from one configuration location to the next, which was carried out in 23.7 also moving the path of the "enable" flag of unbound ending up unbound not being enabled because data could not be migrated.

This was all done in the spirit of providing a full API for Unbound, which wasn't the case before.

I've spent more time on this for discarding invalid values on migration and 23.7.5 will have all the fixes. The main commit is https://github.com/opnsense/core/commit/6898bc883 but don't try to opnsense-patch this individually. The topic is a bit more complex than hoped for and other changes in the area were required as well.


Cheers,
Franco

Thanks for the clarification.  This isn't something I ran into but just wanted to understand.

[BasilBasil]

Finally managed to look into this today.

Upgrading to: OPNsense 23.7.1_3-amd64 from 23.1.11_2 via the GUI.

In SERVICES: UNBOUND DNS: GENERAL

--> Enable Unbound - Gets unchecked during the upgrade

Checking this allows for DNS resolution to work again but not device.customdomain.

--> Register DHCP Static Mappings however also gets unchecked during the upgrade.

Checking that gets me back to how it was in 23.1 in that device.customdomain works.

Edit: It sounds like the above from Franco will resolve this issue. I've still got my 23.1 VM so I'll try the fix when 23.7.5 comes out by doing a full upgrade again.