Bug 475120 - fc10 bind breaks previous configurations if query source active
Summary: fc10 bind breaks previous configurations if query source active
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Adam Tkac
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-08 00:48 UTC by Ray Todd Stevens
Modified: 2013-04-30 23:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-15 02:59:40 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Ports before named load (6.29 KB, text/plain)
2008-12-08 14:39 UTC, Ray Todd Stevens
no flags Details
ports after named load (6.94 KB, text/plain)
2008-12-08 14:40 UTC, Ray Todd Stevens
no flags Details

Description Ray Todd Stevens 2008-12-08 00:48:25 UTC
Description of problem:

OK part of this is that we are using a config we probably should not be, but it is a hold over from a long time ago.   We are using a query source.   At one point iptables kind of required this in order to do deny all not specifically allowed setups.  iptables now supports port randomization in this format.  (thanks iptables people)  No comments please that I should have fixed this because of the security issues.  This is was on my list of fixes.   I have no problem we saying that we have to fix this now and start using random ports.  I just try not to fix to much at once and I figure a version switch over is enough.

My problem is that the new version apparently requires the removal of this "feature" and bombs the program with a very nonspecific error.


/etc/named.conf:9: using specific query-source port suppresses port randomization and can be insecure.
could not get query source dispatcher (0.0.0.0 #53)
loading configuration: address in use
exiting (due to fatal error)

If this said something along the lines of "query source no longer permitted exiting" I would have no problem with this, but  .....

Comment 1 Adam Tkac 2008-12-08 11:07:29 UTC
(In reply to comment #0)
> 
> /etc/named.conf:9: using specific query-source port suppresses port
> randomization and can be insecure.
> could not get query source dispatcher (0.0.0.0 #53)
> loading configuration: address in use
> exiting (due to fatal error)

It seems other program is listenning on 0.0.0.0:53. Could you please check it via, for example, "netstat -lnp", please?

> 
> If this said something along the lines of "query source no longer permitted
> exiting" I would have no problem with this, but  .....

Fixed query source ports are supported (although admins are discouraged to use this feature)

Comment 2 Ray Todd Stevens 2008-12-08 14:38:52 UTC
I can't find any other program listening on port 53.   Here are two netstats as attachments.   Now I do have it set for random ports now, but before is before I load named.   I tried the fixed port and it still fails with this port configuration.  The second "after" is after I load named with random ports.

Comment 3 Ray Todd Stevens 2008-12-08 14:39:54 UTC
Created attachment 326132 [details]
Ports before named load

Comment 4 Ray Todd Stevens 2008-12-08 14:40:30 UTC
Created attachment 326133 [details]
ports after named load

Comment 5 Adam Tkac 2008-12-09 16:05:00 UTC
I found problem in code. If you want test proposed fix you can download appropriate packages from http://kojiweb.fedoraproject.org/koji/taskinfo?taskID=989174. Update will be available soon.

Comment 6 Ray Todd Stevens 2008-12-09 17:34:17 UTC
Think I will wait on the update, but as soon as I see it I will test it.

Comment 7 Fedora Update System 2009-01-08 14:39:18 UTC
bind-9.5.1-1.P1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/bind-9.5.1-1.P1.fc10

Comment 8 Ray Todd Stevens 2009-01-15 00:38:05 UTC
I have a new copy of bind from the system, and the update fixed this problem.   (I just checked)  So I suspect that this one is ready for a "closed -- current release"

Comment 9 Fedora Update System 2009-01-15 02:59:36 UTC
bind-9.5.1-1.P1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.