Until we have a failsafe way of detecting no IPv6 internet
connectivity automatically, allow the users to set it
manually for now.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
If named gets stopped, then started again, but isc-dhcpd isn't also
restarted, then we want named to at least have the existing content.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
What started in #20183 as a attempt to clean up noise in the logfiles,
turned out to be causing denial-of-service for dual-stack and especially
IPv6-only environments.
Breaking core network functionality cannot possibly be less important
than cosmetic issues, and those affected by log spam can avoid it via
other means (e.g. "query-source-v6 none;" in named.conf).
There's no reliable heuristic for determining whether there's IPv6
connectivity at the time bind is started which will catch any and all
corner cases, as discussed in #26327.
So, remove this logic for now. If a suitable heuristic can be devised,
it can always be added in a subsequent patch, but I have my doubts.
(Also, quote one variable to make shellcheck happy)
Closes: #26327Closes: #20468
Signed-off-by: David Härdeman <david@hardeman.nu>
This changes isc-dhcp's init script to create bind zones using the tools
bind provides for that scenario instead of crafting separate zone
configuration by hand.
At the same time, remove the use of /tmp/bind/named.conf.local and add
permissions for dynamic zone creation to bind.
Signed-off-by: David Härdeman <david@hardeman.nu>
The previous patches removed a number of conffiles that weren't necessary,
meaning we can now assume that any changes or additional files in /etc/bind
are things that the user wants to keep.
Since /var/lib/bind is the standard location for longer-lived zone data
(i.e. not zones that secondary servers have obtained via XFER), we symlink
it to /etc/bind/zones so that it survives a sysupgrade.
Temporary files (such as XFER:ed zones for secondaries) stay in
/var/cache/bind.
Signed-off-by: David Härdeman <david@hardeman.nu>
Simplify the init script, removing some unnecessary subshells and make sure
that the end result is shellcheck clean.
Signed-off-by: David Härdeman <david@hardeman.nu>
First, the file is out-of-date.
Second, and more importantly, bind9 includes a compiled-in version which is
up-to-date (see https://www.isc.org/bind-keys/).
Signed-off-by: David Härdeman <david@hardeman.nu>
Bind9 has native support for these zones via the "empty-zones yes" directive,
which is enabled by default.
(cf. bb1cda792b)
Signed-off-by: David Härdeman <david@hardeman.nu>
First, change the "directory" to point to /var/cache/bind, which ensures that
e.g. simple file "something" statements for secondary servers will create files
there (the directory is created by the init script, so we're sure that it
exists). This behaviour matches e.g. what Debian does.
Second, remove the "auth-nxdomain" stanza which is the default in bind since
9.0 was released.
Third, change "master" to "primary" (the wording used in the bind reference
docs)
Signed-off-by: David Härdeman <david@hardeman.nu>
It needs to be group writable or session.key can't be written once
named drops privileges.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Unless we're using "mktemp -u ..." (not recommended), it will
create the temp file as part of its safety checking. Thus you
should only create the name (file) if you're going to use it,
and always remove it if you have created it.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Side-effect of dropping capabilities(7) with last commit is now we
need the `/var/run/named/` directory created for us at startup.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This has been replaced with the "trust-anchors" keyword, per
section 8.21.1 New Features of the Bind 9 Administrator Reference
Manual:
• In order to clarify the configuration of DNSSEC keys, the trusted-keys and managed-keys statements have been deprecated, and the new trust-anchors statement should now be used for both types of key.
When used with the keyword initial-key, trust-anchors has the same behavior as managed-keys, i.e., it configures a trust anchor that is to be maintained via RFC 5011.
When used with the new keyword static-key, trust-anchors has the same behavior as trusted-keys, i.e., it configures a permanent trust anchor that will not automatically be updated. (This usage is not recommended for the root key.) [GL #6]
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Start named before dhcpd so that dhcpd can prime the local zones at startup.
Restore the empty domain zone for rfc1918 addresses that previously existed.
Create an additional subsidiary named.conf.local file (initially empty)
in /tmp/bind/ that can be seeded with dynamic zones and primed with
"rndc reload", and add it to the watched list of config files for procd.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Enable the control port on named that rncd uses to talk to it. Use
rndc to allow for lightweight reloads of some (per-zone) or all of
the database without an interruption of service.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
A multi-year DNSSEC root key update is in progress, as described at
https://www.isc.org/downloads/bind/bind-keys/. This change refreshes the
bind.keys file, ensuring that the new key, in place as of 2018-10-11,
will be recognized and trusted.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
The contents of the file "db.root" is very old (12 years).
Here's a new version downloaded from ftp://ftp.internic.net/domain/
Signed-off-by: DonkZZ <donk@evhr.net>
