This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 475120 - fc10 bind breaks previous configurations if query source active
fc10 bind breaks previous configurations if query source active
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-07 19:48 EST by Ray Todd Stevens
Modified: 2013-04-30 19:42 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-14 21:59:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Ports before named load (6.29 KB, text/plain)
2008-12-08 09:39 EST, Ray Todd Stevens
no flags Details
ports after named load (6.94 KB, text/plain)
2008-12-08 09:40 EST, Ray Todd Stevens
no flags Details

  None (edit)
Description Ray Todd Stevens 2008-12-07 19:48:25 EST
Description of problem:

OK part of this is that we are using a config we probably should not be, but it is a hold over from a long time ago.   We are using a query source.   At one point iptables kind of required this in order to do deny all not specifically allowed setups.  iptables now supports port randomization in this format.  (thanks iptables people)  No comments please that I should have fixed this because of the security issues.  This is was on my list of fixes.   I have no problem we saying that we have to fix this now and start using random ports.  I just try not to fix to much at once and I figure a version switch over is enough.

My problem is that the new version apparently requires the removal of this "feature" and bombs the program with a very nonspecific error.


/etc/named.conf:9: using specific query-source port suppresses port randomization and can be insecure.
could not get query source dispatcher (0.0.0.0 #53)
loading configuration: address in use
exiting (due to fatal error)

If this said something along the lines of "query source no longer permitted exiting" I would have no problem with this, but  .....
Comment 1 Adam Tkac 2008-12-08 06:07:29 EST
(In reply to comment #0)
> 
> /etc/named.conf:9: using specific query-source port suppresses port
> randomization and can be insecure.
> could not get query source dispatcher (0.0.0.0 #53)
> loading configuration: address in use
> exiting (due to fatal error)

It seems other program is listenning on 0.0.0.0:53. Could you please check it via, for example, "netstat -lnp", please?

> 
> If this said something along the lines of "query source no longer permitted
> exiting" I would have no problem with this, but  .....

Fixed query source ports are supported (although admins are discouraged to use this feature)
Comment 2 Ray Todd Stevens 2008-12-08 09:38:52 EST
I can't find any other program listening on port 53.   Here are two netstats as attachments.   Now I do have it set for random ports now, but before is before I load named.   I tried the fixed port and it still fails with this port configuration.  The second "after" is after I load named with random ports.
Comment 3 Ray Todd Stevens 2008-12-08 09:39:54 EST
Created attachment 326132 [details]
Ports before named load
Comment 4 Ray Todd Stevens 2008-12-08 09:40:30 EST
Created attachment 326133 [details]
ports after named load
Comment 5 Adam Tkac 2008-12-09 11:05:00 EST
I found problem in code. If you want test proposed fix you can download appropriate packages from http://kojiweb.fedoraproject.org/koji/taskinfo?taskID=989174. Update will be available soon.
Comment 6 Ray Todd Stevens 2008-12-09 12:34:17 EST
Think I will wait on the update, but as soon as I see it I will test it.
Comment 7 Fedora Update System 2009-01-08 09:39:18 EST
bind-9.5.1-1.P1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/bind-9.5.1-1.P1.fc10
Comment 8 Ray Todd Stevens 2009-01-14 19:38:05 EST
I have a new copy of bind from the system, and the update fixed this problem.   (I just checked)  So I suspect that this one is ready for a "closed -- current release"
Comment 9 Fedora Update System 2009-01-14 21:59:36 EST
bind-9.5.1-1.P1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.