-
Notifications
You must be signed in to change notification settings - Fork 609
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move BIND command channel port to avoid clashing with Unbound (Bug #7271) #416
Conversation
…271) Improve check for rndc-confgen and add error handling while here. Always regenerate the template to avoid stale config issues on package upgrades.
Finally, no more worries about this issue that plagues me up to this day, thanks! Will update to snapshot and test in the coming week. Still, I believe it would have been more intuitive to move Unbound's port back to its documented default 8953, and then Bind could use its default 953 :-) |
You can apply it manually using https://github.com/pfsense/FreeBSD-ports/commit/5fb1095cd2a5949f9f44fc985c0fe8aab77185ef.patch URL for System Patches until the patch is merged. (Will need to re-save BIND configuration to take effect.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider changing rndc key to hmac-sha256, as MD5 is broken.
if (is_executable($rndc_confgen)) { | ||
// Bug #7271: do not use the default command channel port, it conflicts with Unbound | ||
unlink_if_exists(BIND_LOCALBASE . "/etc/rndc-confgen.pfsense"); | ||
exec("$rndc_confgen -p 8953 ", $rndc_conf); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can I suggest:
exec("$rndc_confgen -p 8953 -A hmac-sha256 ", $rndc_conf);
Whilst hmac-md5 remains the BIND default, MD5 is broken. It seems worth hardening the command channel by using SHA256 whilst this code is being touched.
Yeah, this is just out of scope of this PR that's supposed to deal with Bug 7271. |
Fair enough - I thought it was a worthwhile change whilst you were touching this code anyway. Of course, it's not necessary to fix the bug. It's time that something was committed to fix this long standing bug that has such a trivial fix - hopefully this is it! |
@davidjwood I have a bunch of other things to clean up for BIND in the queue, will add this for next PR. |
3.1.0 (2022-05-18) * Introduce basic support for OpenSSL version 3 (#492) * Update regex in grep to be POSIX compliant (#556) * Introduce status reporting tools (#555 & #557) * Display certificates using UTF8 (#551) * Allow certificates to be created with fixed date offset (#550) * Add 'verify' to verify certificate against CA (#549) * Add PKCS#12 alias 'friendlyName' (#544) * Disallow use of '--vars=FILE init-pki' (#566) * Support multiple IP-Addresses in SAN (#564) * Add option '--renew-days=NN', custom renew grace period (#557) * Add 'nopass' option to the 'export-pkcs' functions (#411) * Add support for 'busybox' (#543) * Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22) 3.0.9 (2022-05-17) * Upgrade OpenSSL from 1.1.0j to 1.1.1o (#405, #407) - We are buliding this ourselves now. * Fix --version so it uses EASYRSA_OPENSSL (#416) * Use openssl rand instead of non-POSIX mktemp (#478) * Fix paths with spaces (#443) * Correct OpenSSL version from Homebrew on macOs (#416) * Fix revoking a renewed certificate (Original PR #394) Follow-up commit: ef22701878bb10df567d60f2ac50dce52a82c9ee * Introduce 'show-crl' (d1993892178c5219f4a38d50db3b53d1a972b36c) * Support Windows-Git 'version of bash' (#533) * Disallow use of single quote (') in vars file, Warning (#530) * Creating a CA uses x509-types/ca and COMMON (#526) * Prefer 'PKI/vars' over all other locations (#528) * Introduce 'init-pki soft' option (#197) * Warnings are no longer silenced by --batch (#523) * Improve packaging options (#510) * Update regex for POSIX compliance (#556) * Correct date format for Darwin/BSD (#559)
Improve check for rndc-confgen and add error handling while here. Always regenerate the template to avoid stale config issues on package upgrades.