Bug 510290 - dnssec-configure fail to parse a valid named.conf
dnssec-configure fail to parse a valid named.conf
Status: CLOSED DUPLICATE of bug 505754
Product: Fedora
Classification: Fedora
Component: dnssec-conf (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Paul Wouters
Fedora Extras Quality Assurance
: 523973 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2009-07-08 11:30 EDT by Jean-Baptiste Vignaud
Modified: 2009-09-19 14:10 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-19 14:10:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jean-Baptiste Vignaud 2009-07-08 11:30:58 EDT
Description of problem:

after upgrading from fedora 10 to fedora 11, with a working named.conf, the 
dnssec-configure failed to update named.conf

dnssec-configure -b --dnssec=on --dlv=on
dnssec-configure: Bind: options section not found

but the option section was there.

the difference between a classic named.conf and the one that make dnssec-configure to fail is that the '{' is not on the same line as option :

        query-source  port 53;
        listen-on {;;;};
        directory "/var/named";
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";


to make dnssec-configure to run properly, the line break needed to be removed:

options {
        query-source  port 53;
        listen-on {;;;};
        directory "/var/named";
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside . trust-anchor dlv.isc.org.;

Version-Release number of selected component (if applicable):

Comment 1 Gene Czarcinski 2009-09-18 14:53:44 EDT
This report is a dup of https://bugzilla.redhat.com/show_bug.cgi?id=523973

I agree that named.conf should not be modified by software ... this is a "user"
defined configuration file.  BUT, if it is modified, then the modification
should WORK!  It currently does not.

Yes, it works for simplistic cases but does not handle the actual free-form
officially allowed for named.conf.  Specifically, it does not parse "options"
correctly.  If the left-brace after options is on a separate line, it screws
up.  If (as in my case) I use multiple physical lines for lists of ip-numbers
with "};" on a separate line, it screws up.

Yes, you can edit named.conf so the problem will not occur but this should not
be necessary.
Comment 2 Harald Reindl 2009-09-18 16:01:07 EDT
Even if "options {" is in the same line it will break

Below our original config, the 3 kines are inserted into allow-recursion-block instead after or before and that is not the last problem

Even if this change would work it makes troubles of a forward-server to enable dnssec implicit, this machine did not resolve external domains with dnssec because if there are no settings in named.conf they are implicit set to yes

I had to set the new lines manually to "no" to get forwarder working again and this is a real problem - Fine that dnssec is fully supported, but never ever it should enabled by a update. In this case it was nt soo bad to see the wrong lines because they pointed my what i have to disable to get all working again but this is luck in one specific case

options {
 directory             "/var/named";
 dump-file             "/var/named/data/cache_dump.db";
 statistics-file       "/var/named/data/named_stats.txt";
 forward first;
 forwarders            {;;};
 allow-transfer        {;;;;};
 listen-on             {;;;};
 notify                yes;
 also-notify           {;};
 allow-update          {none;};
 cleaning-interval     60;
 max-ncache-ttl        60;
 querylog              no;
 recursion             yes;
 dnssec-enable         no;
 dnssec-validation     no;
  local-network;     /* 10.0.0.x Netzwerk */;         /* localhost */;    /* stock-home */;    /* harry-home */;       /* peter-home */;   /* ingo-home */;    /* flow-home */;    /* office.alufenster.at */;     /* Lounge-IP nach aussen */;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Comment 3 Jean-Baptiste Vignaud 2009-09-18 16:33:03 EDT
can you try with "allow-recursion {" instead of
" ?

I guess that the problem is not related with "option" or "allow-recursion" but with the fact that the '{' if not on the same line than "option" or "allow-recursion".

I also agree that automatic updates should not kill config files.
Comment 4 Harald Reindl 2009-09-18 16:49:44 EDT
Sorry, i cannot reproduce because all or 16 fedora-installations are already updated except our main-nameserver but this upgrade has to wait until F10 is out of support because this machine is really critical and i'm not on best health this time
Comment 5 Gene Czarcinski 2009-09-19 11:10:15 EDT
I have been looking into this problem.  The problems are with the /usr/sbin/dnssec-configure program which is part of the dnssec-conf package.  This program is written in python and I am not python literate so a patch/fix will need to be done by someone else.

I have looked into the upstream creator/maintainer and there is no advertized means of reporting bugs ... the source is made available and that is it.

You do not need a real name server to work on this ... just a Fedora 11 (or 12) system.  Install the bind and dnssec-conf packages.  Then create a valid /etc/named.conf file (I used /etc/named.named.bak as my base).  I added a "forwarders" statement to the configuration.  I started named to make sure my /etc/named.conf file was good ... it was.  To do my testing, I did not start/run named but simply used the following command:
  /usr/sbin/dnssec-configure -b --norestart --dnssec=off --dlv=off

The problem is that dnssec-configure does not properly parse the "options" statement.  While named (see named-checkconf) allows statements and sub-statements to be on multiple lines, dnssec-configure does not.

Specifica problems:

1.  An option statement is not recognized unless it is immediately followed by a left brace ("{") on the same line.  As far as I can determine, additional left braces in substatements are ignored.

2. The program then looks for dnssec-<whatever> statements on separate physical lines OR the next right brace ("}") which it assumes is the end of the options statement.  This is wrong as it could be a sub-statement such as forwarders with a list of IP addresses and a right brace on a separate line for readability.

3. Given the apparent simplistic nature of parsing used by dnssec-configure, there are likely other ways that this program could screw up your /etc/named.conf.

Current workaround ... "don't do that ... it hurts"

That is, make sure that the options statement is immediately followed by a left brace and that no right braces are on a line by themselves.  For multi line statements, put the "};" at the end of the last item in the list.

BTW, I am a bit bothered that the Fedora package maintainer has not said anything concerning this bug.  I am not expecting him to fix this ... it needs to be fixed upstream.
Comment 6 Gene Czarcinski 2009-09-19 11:13:33 EDT
*** Bug 523973 has been marked as a duplicate of this bug. ***
Comment 7 Gene Czarcinski 2009-09-19 11:19:33 EDT
BTW, given that this problem has no clear resolution, there should be documentation provided in Release Notes or somewhere which documents the problem and explains how the work-around.
Comment 8 Gene Czarcinski 2009-09-19 14:10:36 EDT
Oops ... there is an even erlier report and the fix is suppose to be in dnssec-conf 1.22 (bugzilla comment dated 2009-06-25)

*** This bug has been marked as a duplicate of bug 505754 ***

Note You need to log in before you can comment on or make changes to this bug.