Re: Bind 9.16 port error still lingers
## The Doctor via freebsd-ports (freebsd-ports@freebsd.org): > Well I did find a dead zone and still no dice. That's unfortunate. Completely nothing in config, zones, journals (if any)? Then it's either something totally obvious (obvious like an elephant in the room) which we're missing; or something is completely borked on your system. (BTW, where are you getting your packages from?) That would be a good point to rebuild bind with debug symbols, so we can get a meaningful stack trace; and if that narrows things down perhaps some tactical log statements. Or you could try cutting your config down to the bare minimum and if bind starts, work backwawrds from there. Whatever you're more comfortable with. Regards, Christoph -- Spare Space ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
On Sun, May 03, 2020 at 03:32:39PM +0200, Christoph Moench-Tegeder wrote: > ## The Doctor via freebsd-ports (freebsd-ports@freebsd.org): > > > Then let's look at the file: > > I'd think you better run named-checkconf yourself on your file - that > way you get the full file (and all related config) checked as it > exists on your system - not a partial file with "whatever the mail > systems in between did". > > Just a few remark: > - you included a control key - even if it's restricted to localhost, > it's good practice to generate a new one > - when you're at that, you could also switch to a newer algorithm for > that control channel - hmac-sha256 or whatever > - there's an unused acl > - your indentation is all over the place, which makes for a more > difficult reading than neccessary > - network masks are used in a somewhat inconstant manner, that may > result in funny debugging later on (that's me talking from > experience) > Well I did find a dead zone and still no dice. > Regards, > Christoph > > -- > Spare Space > ___ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism One kind word can warm three winter months. -Japanese proverb ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
## The Doctor via freebsd-ports (freebsd-ports@freebsd.org): > Then let's look at the file: I'd think you better run named-checkconf yourself on your file - that way you get the full file (and all related config) checked as it exists on your system - not a partial file with "whatever the mail systems in between did". Just a few remark: - you included a control key - even if it's restricted to localhost, it's good practice to generate a new one - when you're at that, you could also switch to a newer algorithm for that control channel - hmac-sha256 or whatever - there's an unused acl - your indentation is all over the place, which makes for a more difficult reading than neccessary - network masks are used in a somewhat inconstant manner, that may result in funny debugging later on (that's me talking from experience) Regards, Christoph -- Spare Space ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
I think a few people have given the advise that you should look at the placement of your pid file. I don't know what the default is, but I have pid-file "/var/run/named/pid"; in my named.conf file. This ensures that I'm able to successfully run named as the bind user and the pid file is going to be where I expected it to be (it probably moved 20 years ago ;) ). As I'm running named as user bind, then I need to write to /var/run as bind. I can't write to /var/run, because /var/run has root:wheel ownership and 755 protection. So you might need to: 1. mkdir /var/run/named 2. chown bind:bind /var/run/named 3. chmod 750 /var/run/named 4. stop named 5. rm /var/run/named.pid (if its still there) 6. start named I note that you received almost immediate suggestions from those concerned about the security of your systems, which is very comforting. :) Regards, Dewayne. PS I appreciate your frustraction, I think that the removal of expired ports is a little too enthusiastic On 3/05/2020 12:05 am, The Doctor via freebsd-ports wrote: > ... ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
03.05.2020 0:29, The Doctor via freebsd-ports wrote: > Then let's look at the file: [skip] Quickest way to unbreak your server: take default named.conf from the installation of version 9.16 and add your changes to it manually but keep default paths within lines "pid-file" and alike. That is, keep changes to default file as small as possible. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
03.05.2020 1:13, Per olof Ljungmark wrote:
> On 2020-05-02 19:29, The Doctor via freebsd-ports wrote:
>> On Sat, May 02, 2020 at 06:53:18PM +0200, Christoph Moench-Tegeder wrote:
>>> ## The Doctor via freebsd-ports (freebsd-ports@freebsd.org):
> [snip]
>
>> //Use with the following in named.conf, adjusting the allow list as needed:
>> key "rndc-key" {
>>algorithm hmac-md5;
>> secret "7ZbGK94NdSa2WACxx72W1w==";
>
> I suggest you change this ^ rather quickly, especially if it is a public
> name server.
This is a key for local (over 127.0.0.1) connections for rndc,
it can be abused by local users only, or if there is remotely expoitable
vulnerability
for running shell code. Still, should not be published so easily but no direct
harm
when system has no untrusted local users.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
On 2020-05-02 19:29, The Doctor via freebsd-ports wrote:
On Sat, May 02, 2020 at 06:53:18PM +0200, Christoph Moench-Tegeder wrote:
## The Doctor via freebsd-ports (freebsd-ports@freebsd.org):
[snip]
//Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "7ZbGK94NdSa2WACxx72W1w==";
I suggest you change this ^ rather quickly, especially if it is a
public name server.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
On Sat, May 02, 2020 at 06:53:18PM +0200, Christoph Moench-Tegeder wrote:
> ## The Doctor via freebsd-ports (freebsd-ports@freebsd.org):
>
> > > > Subject: Bind 9.16 port error still lingers
> > >
> > > "Still"?
>
> You seemed to imply that there was a known problem in our bind port.
> While I doubt the existence of a problem with this severity (at least
> my and other people's bind instances are happily serving away), a pointer
> to that previous description could still be quite helpful.
>
> > > > May 1 21:29:02 gallifrey named[90441]: parser.c:950: REQUIRE(obj !=
> > > > ((void *)0) && obj->type->rep == _rep_uint32) failed, back trace
> > >
> > > Some (configuration) value should be an integer, but isn't.
>
> Have you checked your configuration for that type of problem?
> Even a simple named-checkconf could go a long way here.
>
> > and ls -Fail /var/run/named.pid
> >
> > -rw-r--r-- 1 root wheel 6 May 1 21:38 /var/run/named.pid
>
Even with the changes still the parser error exists.
> And that's still not the default location, and again the pid file was
> created via the workaround code - else that file would have been written
> as user "bind" - which only works at the default location, which is why
> we have that default location.
>
> Your configuration differs from the default configuration in more than
> "local addresses and zones", but you have given neither details nor
> rationale on your changes - all we have is some deductions from error
> messages. That might make for a good detective story, but does not
> really expedite technical analysis.
>
Then let's look at the file:
//Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "7ZbGK94NdSa2WACxx72W1w==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
acl loclnetworks{
127.0.0.1;
::1;
10.8.0.0/24;
204.209.81.0/24;
};
// generated by named-bootconf.pl
options {
directory "/usr/local/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/usr/local/etc/namedb/named.core";
max-ncache-ttl 86400;
recursive-clients 100;
//recursive no;
reserved-sockets 32;
tcp-clients 40;
tcp-listen-queue 14;
zone-statistics yes;
//forwarders { 208.67.222.222; 208.67.220.220; };
blackhole {
65.94.172.87;
67.68.204.41;
74.15.184.13;
65.94.173.208;
};
allow-transfer {
204.209.81.1;
204.209.81.14;
};
allow-notify {
204.209.81.1;
204.209.81.14;
};
also-notify {
204.209.81.1 port 53;
204.209.81.14 port 53;
};
query-source address 204.209.81.3 port 53;
version "no";
listen-on {204.209.81.3; 127.0.0.1; };
disable-algorithms . {
DSA;
};
};
// directory where cache files are stored
// type domain source (ip/file) backup file
// - --
zone "." {
type hint;
file "root.cache";
};
And the rest zone files.
> Regards,
> Christoph
>
> --
> Spare Space
> ___
> freebsd-ports@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
One kind word can warm three winter months. -Japanese proverb
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
## The Doctor via freebsd-ports (freebsd-ports@freebsd.org): > > > Subject: Bind 9.16 port error still lingers > > > > "Still"? You seemed to imply that there was a known problem in our bind port. While I doubt the existence of a problem with this severity (at least my and other people's bind instances are happily serving away), a pointer to that previous description could still be quite helpful. > > > May 1 21:29:02 gallifrey named[90441]: parser.c:950: REQUIRE(obj != > > > ((void *)0) && obj->type->rep == _rep_uint32) failed, back trace > > > > Some (configuration) value should be an integer, but isn't. Have you checked your configuration for that type of problem? Even a simple named-checkconf could go a long way here. > and ls -Fail /var/run/named.pid > > -rw-r--r-- 1 root wheel 6 May 1 21:38 /var/run/named.pid And that's still not the default location, and again the pid file was created via the workaround code - else that file would have been written as user "bind" - which only works at the default location, which is why we have that default location. Your configuration differs from the default configuration in more than "local addresses and zones", but you have given neither details nor rationale on your changes - all we have is some deductions from error messages. That might make for a good detective story, but does not really expedite technical analysis. Regards, Christoph -- Spare Space ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
On 5/2/20 11:16 AM, The Doctor via freebsd-ports wrote: > On Sat, May 02, 2020 at 04:32:10PM +0200, Christoph Moench-Tegeder wrote: >> ## The Doctor via freebsd-ports (freebsd-ports@freebsd.org): >> >>> Subject: Bind 9.16 port error still lingers >> >> "Still"? >> >>> May 1 21:29:02 gallifrey named[90441]: Required root permissions to open >>> '/var/run/named.pid'. >>> May 1 21:29:02 gallifrey named[90441]: Please check file and directory >>> permissions or reconfigure the filename. >> >> Did you? >> BTW the default location for named's pidfile on FreeBSD is >> /var/run/named/pid. >> >>> May 1 21:29:02 gallifrey named[90441]: parser.c:950: REQUIRE(obj != ((void >>> *)0) && obj->type->rep == _rep_uint32) failed, back trace >> >> Some (configuration) value should be an integer, but isn't. >> > > cat /var/run/named.pid > 15640 > > running bind911 > > and ls -Fail /var/run/named.pid > > -rw-r--r-- 1 root wheel 6 May 1 21:38 /var/run/named.pid By default, you need 'root' permissions to write to the /var/run directory. As the port is configured on FreeBSD, BIND drops privileges as soon as practical to that of the 'bind' user and group. For example: imb@sarah:/home/imb> ls -l /var/run/named/ total 8 -rw-r--r-- 1 bind bind4 Apr 30 21:05 pid -rw--- 1 bind bind 102 Apr 30 21:05 session.key It seems you have incorrectly changed the configuration by not taking these permissions into account. Check your named.conf for the incorrect definition of pid-file - it should be "/var/run/named/pid", imb ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
On Sat, May 02, 2020 at 05:20:27PM +0200, Per olof Ljungmark wrote: > On 2020-05-02 17:16, The Doctor via freebsd-ports wrote: > > On Sat, May 02, 2020 at 04:32:10PM +0200, Christoph Moench-Tegeder wrote: > >> ## The Doctor via freebsd-ports (freebsd-ports@freebsd.org): > >> > >>> Subject: Bind 9.16 port error still lingers > >> > >> "Still"? > >> > >>> May 1 21:29:02 gallifrey named[90441]: Required root permissions to open > >>> '/var/run/named.pid'. > >>> May 1 21:29:02 gallifrey named[90441]: Please check file and directory > >>> permissions or reconfigure the filename. > >> > >> Did you? > >> BTW the default location for named's pidfile on FreeBSD is > >> /var/run/named/pid. I'm running bind916-9.16.2: albert(12.1-S)[3] pkg info -o dns/bind\* bind-tools-9.16.2 dns/bind-tools bind916-9.16.2 dns/bind916 Here's what I have in /etc/rc.conf about it: albert(12.1-S)[5] egrep 'bind|named' /etc/rc.conf rpcbind_enable="YES" named_enable="YES" named_program="/usr/local/sbin/named" and the pidfile is in /var/run/named/: albert(12.1-S)[4] ls -lT /var/run/named/ total 8 -rw-r--r-- 1 bind bind6 May 1 05:03:40 2020 pid -rw--- 1 bind bind 102 May 1 05:03:40 2020 session.key No issues. > Peace, david -- David H. Wolfskill da...@catwhisker.org "I believe the people of this country are smart. And I don't think that they will put a man in who's incompetent." -- Donald J. Trump, who apparently missed the irony, 29 Apr 2020. See http://www.catwhisker.org/~david/publickey.gpg for my public key. signature.asc Description: PGP signature
Re: Bind 9.16 port error still lingers
On 2020-05-02 17:16, The Doctor via freebsd-ports wrote: On Sat, May 02, 2020 at 04:32:10PM +0200, Christoph Moench-Tegeder wrote: ## The Doctor via freebsd-ports (freebsd-ports@freebsd.org): Subject: Bind 9.16 port error still lingers "Still"? May 1 21:29:02 gallifrey named[90441]: Required root permissions to open '/var/run/named.pid'. May 1 21:29:02 gallifrey named[90441]: Please check file and directory permissions or reconfigure the filename. Did you? BTW the default location for named's pidfile on FreeBSD is /var/run/named/pid. May 1 21:29:02 gallifrey named[90441]: parser.c:950: REQUIRE(obj != ((void *)0) && obj->type->rep == _rep_uint32) failed, back trace Some (configuration) value should be an integer, but isn't. cat /var/run/named.pid 15640 running bind911 and ls -Fail /var/run/named.pid -rw-r--r-- 1 root wheel 6 May 1 21:38 /var/run/named.pid I think what The Doctor tried to point out is that the pid file needs to be owned by the named user, normally "bind". If named is started the "normal" wai, i.e. "service named start" it should create this file with "bind" as owner. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
On Sat, May 02, 2020 at 04:32:10PM +0200, Christoph Moench-Tegeder wrote: > ## The Doctor via freebsd-ports (freebsd-ports@freebsd.org): > > > Subject: Bind 9.16 port error still lingers > > "Still"? > > > May 1 21:29:02 gallifrey named[90441]: Required root permissions to open > > '/var/run/named.pid'. > > May 1 21:29:02 gallifrey named[90441]: Please check file and directory > > permissions or reconfigure the filename. > > Did you? > BTW the default location for named's pidfile on FreeBSD is > /var/run/named/pid. > > > May 1 21:29:02 gallifrey named[90441]: parser.c:950: REQUIRE(obj != ((void > > *)0) && obj->type->rep == _rep_uint32) failed, back trace > > Some (configuration) value should be an integer, but isn't. > cat /var/run/named.pid 15640 running bind911 and ls -Fail /var/run/named.pid -rw-r--r-- 1 root wheel 6 May 1 21:38 /var/run/named.pid > Regards, > Christoph > > -- > Spare Space > ___ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism One kind word can warm three winter months. -Japanese proverb ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Bind 9.16 port error still lingers
## The Doctor via freebsd-ports (freebsd-ports@freebsd.org): > Subject: Bind 9.16 port error still lingers "Still"? > May 1 21:29:02 gallifrey named[90441]: Required root permissions to open > '/var/run/named.pid'. > May 1 21:29:02 gallifrey named[90441]: Please check file and directory > permissions or reconfigure the filename. Did you? BTW the default location for named's pidfile on FreeBSD is /var/run/named/pid. > May 1 21:29:02 gallifrey named[90441]: parser.c:950: REQUIRE(obj != ((void > *)0) && obj->type->rep == _rep_uint32) failed, back trace Some (configuration) value should be an integer, but isn't. Regards, Christoph -- Spare Space ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
