bind plugin: 'update-policy' is not allowed in 'secondary' zone

Started by brendanbank, March 26, 2024, 09:55:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 26, 2024, 09:55:27 PM
I've updated to OPNsense 24.1.4-amd64 yesterday.

My firewalls run a secondary zone to ensure that when they lose connectivity, names are still resolving.

When I update the zone file through the GUI named stops working with the following error:
[root@casa /var/log/system]# service named start
/usr/local/etc/namedb/named.conf:61: option 'update-policy' is not allowed in 'secondary' zone 'xxxxxx.xxx'


Any solution for this?

Thanks,

- Brendan
March 26, 2024, 10:24:22 PM #1
What do you mean by update the zone file? You cannot locally update a secondary zone.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 27, 2024, 07:51:05 AM #2 Last Edit: March 27, 2024, 08:03:31 AM by brendanbank
Sorry I then I did not explain myself properly.

I have a bunch of secondary configured in the BIND Plugin. If I make a change through the web interface, the named.conf file at /usr/local/etc/namedb/named.conf will be regenerated from the /usr/local/opnsense/service/templates/OPNsense/Bind/named.conf template.

/usr/local/bin/named does not allow updates on the secondary zone as they should be done to the primary zone. Hence named throws an error:
/usr/local/etc/namedb/named.conf:93: option 'update-policy' is not allowed in 'secondary' zone 'xx.xx.xx.in-addr.arpa'

In the secondary zone configuration block, 'update-policy' seems not to be allowed - this is a snippet from the generated name.conf file:

zone "xx.xx.xx.in-addr.arpa" {
        type secondary;
        primaries { yy.yy.yy.yy key "key.dyn.zz.zz.zz"; };
        file "/usr/local/etc/namedb/secondary/xx.xx.xx.in-addr.arpa.db";
        allow-transfer {
                ns_notify;
        };
        allow-query {
                ns_query;
        };
        update-policy {
                grant rndc-key zonesub ANY;
        };
};


Here is the patch that fixes it:

Y@Z:/usr/local/opnsense/service/templates/OPNsense/Bind % diff named.conf.org named.conf
183c183
< {%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" %}
---
> {%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" and domain.type != 'secondary' %}


I'll create an issue for this bug.

https://github.com/opnsense/plugins/issues/3874

Thanks,

- Brendan
March 27, 2024, 11:40:58 AM #3
Quote from: brendanbank on March 27, 2024, 07:51:05 AM
/usr/local/bin/named does not allow updates on the secondary zone as they should be done to the primary zone.

So what are you trying to do, how are updates in a secondary flowing back to primary ? As Patrick M. Hausen already mentioned, you don't update secondaries, you update primaries, notify the secondary and do an AXFR/IXFR.

Code Select
Dynamic update is a method for adding, replacing, or deleting records in a primary server by sending it a special form of DNS messages. The format and meaning of these messages is specified in RFC 2136.

https://bind9.readthedocs.io/en/stable/chapter6.html#dynamic-update
March 27, 2024, 01:22:04 PM #4
It simply appears to be a bug in the template generation for the latest feature addition and it's already been fixed by brendanbank.
Print
Go Up Pages1
User actions