Red Hat Bugzilla – Bug 475120
fc10 bind breaks previous configurations if query source active
Last modified: 2013-04-30 19:42:05 EDT
Description of problem:
OK part of this is that we are using a config we probably should not be, but it is a hold over from a long time ago. We are using a query source. At one point iptables kind of required this in order to do deny all not specifically allowed setups. iptables now supports port randomization in this format. (thanks iptables people) No comments please that I should have fixed this because of the security issues. This is was on my list of fixes. I have no problem we saying that we have to fix this now and start using random ports. I just try not to fix to much at once and I figure a version switch over is enough.
My problem is that the new version apparently requires the removal of this "feature" and bombs the program with a very nonspecific error.
/etc/named.conf:9: using specific query-source port suppresses port randomization and can be insecure.
could not get query source dispatcher (0.0.0.0 #53)
loading configuration: address in use
exiting (due to fatal error)
If this said something along the lines of "query source no longer permitted exiting" I would have no problem with this, but .....
(In reply to comment #0)
> /etc/named.conf:9: using specific query-source port suppresses port
> randomization and can be insecure.
> could not get query source dispatcher (0.0.0.0 #53)
> loading configuration: address in use
> exiting (due to fatal error)
It seems other program is listenning on 0.0.0.0:53. Could you please check it via, for example, "netstat -lnp", please?
> If this said something along the lines of "query source no longer permitted
> exiting" I would have no problem with this, but .....
Fixed query source ports are supported (although admins are discouraged to use this feature)
I can't find any other program listening on port 53. Here are two netstats as attachments. Now I do have it set for random ports now, but before is before I load named. I tried the fixed port and it still fails with this port configuration. The second "after" is after I load named with random ports.
Created attachment 326132 [details]
Ports before named load
Created attachment 326133 [details]
ports after named load
I found problem in code. If you want test proposed fix you can download appropriate packages from http://kojiweb.fedoraproject.org/koji/taskinfo?taskID=989174. Update will be available soon.
Think I will wait on the update, but as soon as I see it I will test it.
bind-9.5.1-1.P1.fc10 has been submitted as an update for Fedora 10.
I have a new copy of bind from the system, and the update fixed this problem. (I just checked) So I suspect that this one is ready for a "closed -- current release"
bind-9.5.1-1.P1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.