From Newsgroup: comp.protocols.dns.bind

FreeBSD 11.3-RELEASE-p3

This morning I upgraded from BIND 9.14.11 to 9.16.3 via FreeBSD ports.

Then I realize that my slave server no longer transfer zones from the master. The zone transfers worked as expected before the upgrade.

There are no error messages. The slave receives notifies from the master:

May 26 09:40:35 ludvigsen named[22721]: client @0x81d593f68 129.242.4.254#24673: received notify for zone 'av.uit.no'
May 26 09:40:35 ludvigsen named[22721]: zone av.uit.no/IN: notify from 129.242.4.254#24673: serial 2020052600

I can do a 'rndc reload <zone>' without errors:

May 26 09:57:29 ludvigsen named[22721]: received control channel command 'reload av.uit.no'

If I do a full 'rndc reload' I finally get an error:

May 26 11:08:14 ludvigsen named[25953]: unable to create dispatch for reserved port 129.242.5.254#53: permission denied

Since this is a host with serveral virtual interfaces this address/port is set in named.conf:

transfer-source 129.242.5.254 port 53;

The solution was to remove the 'port 53' part of the config,



Finally, the question:

Has there been some change in when named changes user id and drops privilege from root? Or some other changes that can explain the error?




--Ingeborg
--
Ingeborg +strem Hellemo -- ingeborg.hellemo@uit.no
Dep. of Information Technology --- Univ. of Tromso



--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind

please see release notes:

https://downloads.isc.org/isc/bind9/9.16.3/RELEASE-NOTES-bind-9.16.3.html

This is listed in Known Issues for BIND 9.16.1:

rCo UDP network ports used for listening can no longer simultaneously be used for sending traffic. An example configuration which triggers this issue would be one which uses the same address:port pair for listen-on(-v6) statements as for notify-source(-v6) or transfer-source(-v6). While this issue affects all operating systems, it only triggers log messages (e.g. "unable to create dispatch for reserved port") on some of them. There are currently no plans to make such a combination of settings work again.

Also noted in the thread starting at

https://lists.isc.org/pipermail/bind-workers/2020-March/003475.html

Steinar Haug, Nethelp consulting, sthaug@nethelp.no
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind


ondrej@isc.org said:

please see release notes: https://downloads.isc.org/isc/bind9/9.16.3/RELEASE-NOTES-bind-9.16.3.html

Thank you!

Time to check my eyes (and renew my google search engine membership) since I should have been able to find that myself.


--Ingeborg
--
Ingeborg +strem Hellemo -- ingeborg.hellemo@uit.no
Dep. of Information Technology --- Univ. of Tromso


--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.protocols.dns.bind

On 26.05.20 11:38, Ingeborg Hellemo wrote:

If I do a full 'rndc reload' I finally get an error:

May 26 11:08:14 ludvigsen named[25953]: unable to create dispatch for reserved >port 129.242.5.254#53: permission denied

Since this is a host with serveral virtual interfaces this address/port is set >in named.conf:

transfer-source 129.242.5.254 port 53;

The solution was to remove the 'port 53' part of the config,

FYI, using static source port is discouraged for about 12 years, since it
maked DNS servers prone to DNS cache poisoning: https://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience-05

I guess source port 53 was meant long ago to avoid DNS from being
firewalled. However nowadays it's long time obsolete and unsecure.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
--- Synchronet 3.21d-Linux NewsLink 1.2