bind package 9.16_12 reads from /cf/named, but changes in the GUI are written to /var/etc/named

tbahn · Mar 9, 2022, 1:14 PM

@riso I had to check this "off-time": Yes, it still runs after reboot, but it takes minutes for the named service to start.

I couldn't find anything in the logs, but I assume, it could be the same attempts and timeouts as when I updated the package.

tbahn · Mar 9, 2022, 11:51 AM

@blankman Where you select "All": the field is labeled "Backup Area". :-)

I'm no specialist by any means for "bind on pfSense", more a self-educated practitioner. Perhaps someone with more systematic knowledge can aid you further.

I exclusively used the Bind GUI to setup bind with ACLs, views and some zones. So, it's doable.

As far as I understand now, this configuration is stored elsewhere and the configuration files under /cf/named are generated, when you save the zones.

One thing I discovered: You seem to have to save twice: one time in the zone itself, one time in the list of zones. At least, only with this second save (in the table of zones page), the changes are propagated to other DNS servers with slave copies of the zones.

viktor_g · Mar 9, 2022, 1:11 PM

the fix will be in the next BIND version (soon):
https://redmine.pfsense.org/issues/12869#note-7

riso · Mar 9, 2022, 1:14 PM

@tbahn thank you
in my case, this workaround did not survive the server restart, I had to do it again
@viktor_g thanks for the quick fix :)

tbahn · Mar 9, 2022, 1:59 PM

@viktor_g Thank you for fixing and notifying us.

jaltman · Mar 9, 2022, 7:04 PM

I can confirm that 9.16_13 fixes the problem.
Thank you.

dld_r00f · Mar 27, 2022, 8:04 AM

I have inverted situation with BIND.
pfSense 2.6.0 with BIND 9.16_12 (10 zones with DNSSEC Inline Signing and Backup Keys flags) work as usual.
After upgrading to 9.16_13 it stopped signing DNSSEC. New BIND try to find keys at /var/etc/named/etc/namedb/keys istead of /cf/named/etc/namedb/keys.

Stupid situation: I have a working backup with a previous package version. But this is completely useless with the new version of the package. So I can’t just reinstall the system, it won’t work, because the current version of the package is broken.

And insanely long BIND loading of course (link).

dld_r00f · Mar 27, 2022, 7:58 AM

This post is deleted!

bingo600 · Mar 27, 2022, 2:06 PM

@dld_r00f

Wouldn't a "quick & ugly" hack be to make a symlink of the existing file to the "wanted file" ??

ln -s <existing> <wanted>

dld_r00f · Mar 27, 2022, 2:06 PM

@bingo600
If you know the problem, then there are many ways to solve it :)
I just copied all my dnssec keys to /var/etc/named/etc/namedb/keys. I think the symlink worked too.
In my case, I spent about 4 hours to figure out what was causing the problem.

viktor_g · Mar 30, 2022, 3:21 PM

Redmine issue created:
https://redmine.pfsense.org/issues/13002