Bug 510290
| Summary: | dnssec-configure fail to parse a valid named.conf | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jean-Baptiste Vignaud <flint42> |
| Component: | dnssec-conf | Assignee: | Paul Wouters <pwouters> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 11 | CC: | gczarcinski, h.reindl, pwouters |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-19 18:10:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This report is a dup of https://bugzilla.redhat.com/show_bug.cgi?id=523973 I agree that named.conf should not be modified by software ... this is a "user" defined configuration file. BUT, if it is modified, then the modification should WORK! It currently does not. Yes, it works for simplistic cases but does not handle the actual free-form officially allowed for named.conf. Specifically, it does not parse "options" correctly. If the left-brace after options is on a separate line, it screws up. If (as in my case) I use multiple physical lines for lists of ip-numbers with "};" on a separate line, it screws up. Yes, you can edit named.conf so the problem will not occur but this should not be necessary. Even if "options {" is in the same line it will break
Below our original config, the 3 kines are inserted into allow-recursion-block instead after or before and that is not the last problem
Even if this change would work it makes troubles of a forward-server to enable dnssec implicit, this machine did not resolve external domains with dnssec because if there are no settings in named.conf they are implicit set to yes
I had to set the new lines manually to "no" to get forwarder working again and this is a real problem - Fine that dnssec is fully supported, but never ever it should enabled by a update. In this case it was nt soo bad to see the wrong lines because they pointed my what i have to disable to get all working again but this is luck in one specific case
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
forward first;
forwarders {85.124.176.242; 195.206.96.86;};
allow-transfer {10.0.0.6; 10.0.0.41; 10.0.0.245; 10.0.0.106;};
listen-on {10.0.0.6; 10.0.0.106; 127.0.0.1;};
notify yes;
also-notify {10.0.0.106;};
allow-update {none;};
cleaning-interval 60;
max-ncache-ttl 60;
querylog no;
recursion yes;
dnssec-enable no;
dnssec-validation no;
allow-recursion
{
local-network; /* 10.0.0.x Netzwerk */
127.0.0.1; /* localhost */
84.112.188.198; /* stock-home */
62.178.218.100; /* harry-home */
80.108.8.51; /* peter-home */
195.202.178.123; /* ingo-home */
91.113.241.194; /* flow-home */
88.117.199.142; /* office.alufenster.at */
195.34.140.69; /* Lounge-IP nach aussen */
195.34.141.18;
195.34.141.19;
195.34.141.20;
195.34.141.21;
195.34.141.22;
195.34.141.23;
195.34.141.24;
195.34.141.25;
195.34.141.26;
195.34.141.27;
195.34.141.28;
195.34.141.29;
195.34.141.30;
195.34.141.31;
195.34.141.32;
195.34.141.33;
195.34.141.34;
195.34.141.35;
195.34.141.36;
195.34.141.37;
195.34.141.38;
195.34.141.39;
195.34.141.40;
195.34.141.41;
195.34.141.42;
195.34.141.43;
195.34.141.44;
195.34.141.45;
195.34.141.46;
195.34.141.47;
195.34.141.48;
195.34.141.49;
195.34.141.50;
195.34.141.51;
195.34.141.52;
195.34.141.53;
195.34.141.54;
195.34.141.55;
195.34.141.56;
195.34.141.57;
195.34.141.58;
195.206.96.86;
195.206.96.87;
195.206.96.88;
195.206.96.89;
195.206.96.90;
};
};
can you try with "allow-recursion {" instead of
"allow-recursion
{
" ?
I guess that the problem is not related with "option" or "allow-recursion" but with the fact that the '{' if not on the same line than "option" or "allow-recursion".
I also agree that automatic updates should not kill config files.
Sorry, i cannot reproduce because all or 16 fedora-installations are already updated except our main-nameserver but this upgrade has to wait until F10 is out of support because this machine is really critical and i'm not on best health this time I have been looking into this problem. The problems are with the /usr/sbin/dnssec-configure program which is part of the dnssec-conf package. This program is written in python and I am not python literate so a patch/fix will need to be done by someone else.
I have looked into the upstream creator/maintainer and there is no advertized means of reporting bugs ... the source is made available and that is it.
You do not need a real name server to work on this ... just a Fedora 11 (or 12) system. Install the bind and dnssec-conf packages. Then create a valid /etc/named.conf file (I used /etc/named.named.bak as my base). I added a "forwarders" statement to the configuration. I started named to make sure my /etc/named.conf file was good ... it was. To do my testing, I did not start/run named but simply used the following command:
/usr/sbin/dnssec-configure -b --norestart --dnssec=off --dlv=off
The problem is that dnssec-configure does not properly parse the "options" statement. While named (see named-checkconf) allows statements and sub-statements to be on multiple lines, dnssec-configure does not.
Specifica problems:
1. An option statement is not recognized unless it is immediately followed by a left brace ("{") on the same line. As far as I can determine, additional left braces in substatements are ignored.
2. The program then looks for dnssec-<whatever> statements on separate physical lines OR the next right brace ("}") which it assumes is the end of the options statement. This is wrong as it could be a sub-statement such as forwarders with a list of IP addresses and a right brace on a separate line for readability.
3. Given the apparent simplistic nature of parsing used by dnssec-configure, there are likely other ways that this program could screw up your /etc/named.conf.
Current workaround ... "don't do that ... it hurts"
That is, make sure that the options statement is immediately followed by a left brace and that no right braces are on a line by themselves. For multi line statements, put the "};" at the end of the last item in the list.
BTW, I am a bit bothered that the Fedora package maintainer has not said anything concerning this bug. I am not expecting him to fix this ... it needs to be fixed upstream.
*** Bug 523973 has been marked as a duplicate of this bug. *** BTW, given that this problem has no clear resolution, there should be documentation provided in Release Notes or somewhere which documents the problem and explains how the work-around. Oops ... there is an even erlier report and the fix is suppose to be in dnssec-conf 1.22 (bugzilla comment dated 2009-06-25) *** This bug has been marked as a duplicate of bug 505754 *** |
Description of problem: after upgrading from fedora 10 to fedora 11, with a working named.conf, the dnssec-configure failed to update named.conf dnssec-configure -b --dnssec=on --dlv=on dnssec-configure: Bind: options section not found but the option section was there. the difference between a classic named.conf and the one that make dnssec-configure to fail is that the '{' is not on the same line as option : options { query-source 172.18.0.1 port 53; listen-on {127.0.0.1; 172.18.0.1; 192.168.1.1;}; directory "/var/named"; dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; }; to make dnssec-configure to run properly, the line break needed to be removed: options { query-source 172.18.0.1 port 53; listen-on {127.0.0.1; 172.18.0.1; 192.168.1.1;}; directory "/var/named"; dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; }; Version-Release number of selected component (if applicable): dnssec-conf-1.21-1.fc11 bind-9.6.1-0.4.rc1.fc11