On Sun, 30 Jun 2024, sth...@nethelp.no wrote:
Short description: Fresh install of bind9-devel-9.19.24_1 doesn't
listen to localhost port 953, with the result that rndc doesn't work.
Problem is 100% reproducible.
Environment:
- FreeBSD 13.3-STABLE #n257580
- BIND 9.19.24 installed using "pkg install bind9-devel-9.19.24_1"
- Default (directly from the package) named.conf, no changes
- rc.conf has named_enable="YES" added
- named started using service named start
If I then try to use rndc, it doesn't work:
# rndc status
rndc: connect failed: 127.0.0.1#953: connection refused
In syslog I can see among the startup messages:
Jun 30 12:53:31 nlab0 named[31772]: couldn't add command channel 127.0.0.1#953:
permission denied
Jun 30 12:53:31 nlab0 named[31772]: couldn't add command channel ::1#953:
permission denied
my first guess was something returns 1 and that is leaked to user space
as errno but reading on ...
which explains the rndc error message - but doesn't explain *why*
this happens.
Other info:
- BIND 9.18.24 on the same host works perfectly, with no rndc issues.
- BIND 9.19.24 on the same host also works *if I change it to run as
root* (by default it runs as user bind). The syslog messages are gone,
and rndc works as expected.
That sounds like they try to open the priv port after they changed
users rather than before.
If you (as root) temporary chnage
sysctl net.inet.ip.portrange.reservedhigh=952
does it work then (as user bind)?
(don't forget to set it back after the experiment)
A ktrace might reveal more but I'd likely go to bind people and ask.
Seems like more chances.
Speculation: 9.19.24 Release notes, under Feature changes, lists:
Multiple RNDC messages are now processed when sent in a single TCP message.
So maybe a bug introduced in connection with this feature change?
Steinar Haug, AS2116
--
Bjoern A. Zeeb r15:7
