bind plugin: 'update-policy' is not allowed in 'secondary' zone

[brendanbank]

I've updated to OPNsense 24.1.4-amd64 yesterday.

My firewalls run a secondary zone to ensure that when they lose connectivity, names are still resolving.

When I update the zone file through the GUI named stops working with the following error:

[root@casa /var/log/system]# service named start
/usr/local/etc/namedb/named.conf:61: option 'update-policy' is not allowed in 'secondary' zone 'xxxxxx.xxx'

Any solution for this?

Thanks,

 - Brendan

[Patrick M. Hausen]

What do you mean by update the zone file? You cannot locally update a secondary zone.

[brendanbank]

Sorry I then I did not explain myself properly.

I have a bunch of secondary configured in the BIND Plugin. If I make a change through the web interface, the named.conf file at /usr/local/etc/namedb/named.conf will be regenerated from the /usr/local/opnsense/service/templates/OPNsense/Bind/named.conf template.

/usr/local/bin/named does not allow updates on the secondary zone as they should be done to the primary zone. Hence named throws an error:

/usr/local/etc/namedb/named.conf:93: option 'update-policy' is not allowed in 'secondary' zone 'xx.xx.xx.in-addr.arpa'

In the secondary zone configuration block, 'update-policy' seems not to be allowed - this is a snippet from the generated name.conf file:

zone "xx.xx.xx.in-addr.arpa" {
        type secondary;
        primaries { yy.yy.yy.yy key "key.dyn.zz.zz.zz"; };
        file "/usr/local/etc/namedb/secondary/xx.xx.xx.in-addr.arpa.db";
        allow-transfer {
                ns_notify;
        };
        allow-query {
                ns_query;
        };
        update-policy {
                grant rndc-key zonesub ANY;
        };
};

Here is the patch that fixes it:

Y@Z:/usr/local/opnsense/service/templates/OPNsense/Bind % diff named.conf.org named.conf
183c183
< {%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" %}
---
> {%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" and domain.type != 'secondary' %}

I'll create an issue for this bug.

https://github.com/opnsense/plugins/issues/3874

Thanks,

 - Brendan

[netnut]

/usr/local/bin/named does not allow updates on the secondary zone as they should be done to the primary zone.

So what are you trying to do, how are updates in a secondary flowing back to primary ? As Patrick M. Hausen already mentioned, you don't update secondaries, you update primaries, notify the secondary and do an AXFR/IXFR.

Code: [Select]

Dynamic update is a method for adding, replacing, or deleting records in a primary server by sending it a special form of DNS messages. The format and meaning of these messages is specified in RFC 2136.
https://bind9.readthedocs.io/en/stable/chapter6.html#dynamic-update

[franco]

It simply appears to be a bug in the template generation for the latest feature addition and it's already been fixed by brendanbank.