Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move BIND command channel port to avoid clashing with Unbound (Bug #7271) #416

Closed
wants to merge 3 commits into from

Conversation

doktornotor
Copy link
Contributor

Improve check for rndc-confgen and add error handling while here. Always regenerate the template to avoid stale config issues on package upgrades.

doktornotor added 2 commits September 3, 2017 10:02

Verified

This commit was signed with the committer’s verified signature.
laoneo Allon Moritz
…271)

Improve check for rndc-confgen and add error handling while here. Always regenerate the template to avoid stale config issues on package upgrades.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
@hb9cwp
Copy link
Contributor

hb9cwp commented Sep 3, 2017

Finally, no more worries about this issue that plagues me up to this day, thanks! Will update to snapshot and test in the coming week.

Still, I believe it would have been more intuitive to move Unbound's port back to its documented default 8953, and then Bind could use its default 953 :-)
https://redmine.pfsense.org/issues/7271

@doktornotor
Copy link
Contributor Author

doktornotor commented Sep 3, 2017

You can apply it manually using https://github.com/pfsense/FreeBSD-ports/commit/5fb1095cd2a5949f9f44fc985c0fe8aab77185ef.patch URL for System Patches until the patch is merged. (Will need to re-save BIND configuration to take effect.)

Copy link
Contributor

@davidjwood davidjwood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider changing rndc key to hmac-sha256, as MD5 is broken.

if (is_executable($rndc_confgen)) {
// Bug #7271: do not use the default command channel port, it conflicts with Unbound
unlink_if_exists(BIND_LOCALBASE . "/etc/rndc-confgen.pfsense");
exec("$rndc_confgen -p 8953 ", $rndc_conf);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I suggest:
exec("$rndc_confgen -p 8953 -A hmac-sha256 ", $rndc_conf);

Whilst hmac-md5 remains the BIND default, MD5 is broken. It seems worth hardening the command channel by using SHA256 whilst this code is being touched.

@doktornotor
Copy link
Contributor Author

Yeah, this is just out of scope of this PR that's supposed to deal with Bug 7271.

@davidjwood
Copy link
Contributor

Fair enough - I thought it was a worthwhile change whilst you were touching this code anyway. Of course, it's not necessary to fix the bug.

It's time that something was committed to fix this long standing bug that has such a trivial fix - hopefully this is it!

@doktornotor
Copy link
Contributor Author

@davidjwood I have a bunch of other things to clean up for BIND in the queue, will add this for next PR.

@rbgarga rbgarga requested a review from jim-p September 22, 2017 12:09
@rbgarga rbgarga removed the CLA label Sep 22, 2017

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
@doktornotor doktornotor deleted the patch-12 branch October 27, 2017 00:39
@pfsense pfsense deleted a comment from doktornotor Oct 27, 2017
netgate-git-updates pushed a commit that referenced this pull request May 21, 2022
3.1.0 (2022-05-18)
   * Introduce basic support for OpenSSL version 3 (#492)
   * Update regex in grep to be POSIX compliant (#556)
   * Introduce status reporting tools (#555 & #557)
   * Display certificates using UTF8 (#551)
   * Allow certificates to be created with fixed date offset (#550)
   * Add 'verify' to verify certificate against CA (#549)
   * Add PKCS#12 alias 'friendlyName' (#544)
   * Disallow use of '--vars=FILE init-pki' (#566)
   * Support multiple IP-Addresses in SAN (#564)
   * Add option '--renew-days=NN', custom renew grace period (#557)
   * Add 'nopass' option to the 'export-pkcs' functions (#411)
   * Add support for 'busybox' (#543)
   * Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22)

3.0.9 (2022-05-17)
   * Upgrade OpenSSL from 1.1.0j to 1.1.1o (#405, #407)
      - We are buliding this ourselves now.
   * Fix --version so it uses EASYRSA_OPENSSL (#416)
   * Use openssl rand instead of non-POSIX mktemp (#478)
   * Fix paths with spaces (#443)
   * Correct OpenSSL version from Homebrew on macOs (#416)
   * Fix revoking a renewed certificate (Original PR #394)
     Follow-up commit: ef22701878bb10df567d60f2ac50dce52a82c9ee
   * Introduce 'show-crl' (d1993892178c5219f4a38d50db3b53d1a972b36c)
   * Support Windows-Git 'version of bash' (#533)
   * Disallow use of single quote (') in vars file, Warning (#530)
   * Creating a CA uses x509-types/ca and COMMON (#526)
   * Prefer 'PKI/vars' over all other locations (#528)
   * Introduce 'init-pki soft'  option (#197)
   * Warnings are no longer silenced by --batch (#523)
   * Improve packaging options (#510)
   * Update regex for POSIX compliance (#556)
   * Correct date format for Darwin/BSD (#559)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants