Bug in package "Bind" for pfSense causing it not to start.
-
Hello,
I have found a bug in the package "Bind" for pfSense and I think it is a pfSense package bug and not a generic Bind bug.
When package is installed and configured it always don't start with the following error:
Nov 7 08:41:11 named[64040]: exiting (due to fatal error) Nov 7 08:41:11 named[64040]: loading configuration: failure Nov 7 08:41:11 named[64040]: /etc/namedb/named.conf:22: missing ';' before '}' Nov 7 08:41:11 named[64040]: loading configuration from '/etc/namedb/named.conf' . . Nov 7 08:41:11 named[64040]: starting BIND 9.9.5-P1 -c /etc/namedb/named.conf -u bind -t /cf/named/
I have verified this on 2 different installations wher one never have had bind installed prior.
What I found is that the problem occurs when "Forwarder IPs" is defined.
After inspecting the actual named.conf file in "/cf/named/etc/namedb/named.conf" I found a fault
in row22: "forwarders { xx.xx.xx.xx };" NOTE: (i have left out the actual IP).The problem is that all values should end with a semicolon after the value also inside.
eg.
forwarders { xx.xx.xx.xx };
SHOULD BE
forwarders { xx.xx.xx.xx; };When I changed this in my installation, bind started up just fine and is now working OK.
As the row above IS having my sitespecific DNS IP inserted it is not a fault caused by
default bind files shipped with package but is modified by the local pfSense installation/package.Could responsible for the bind package, please update the package and release a working one.
For remedy on existing installations to get bind working, do the following:
- Diagnostics / Edit file
- "Browse" for "/cf/named/etc/namedb/named.conf"
- Modify row 22 and add a semicolon after the IP inside the { } in "forwarders { xx.xx.xx.xx**;** };"
- Save file
- Now try to start the Bind service again.
NOTE! This modification must be done EVERYTIME you modify anything in the pfSense Bind GUI as it saves
the file again with the faulty missing semicolon. This means even if you just disable/enable the service.
Any modification that requires the Save button to be pressed will remove the semicolon and it needs
to be inserted manually again and restart service.UPDATED 2014-11-10:
_I have reviewed the code and there is no validation of the input whatsoever for the "Forwarders" entry so it will accept anything including text. (this will of course not work with BIND)
No validation/forming that the data to be written to the named.conf is in the correct format is done. The values from the form is written straight into to named.conf file.
I think this is also valid for other multi-edit fields as well on other pages.This will make it easier to workaround though as it is now (short term) possible to write it in the correct format (as bind wants it) in the config page.
Write it in the following form:_<ip>;
or
<ip>;<space><ip>;
or
<ip>;<space><ip>;<space><ip>;
e.g.
10.0.0.1;
10.0.0.1; 10.0.0.2;
10.0.0.1; 10.0.0.2; 10.0.0.3;//Dan Lundqvist</ip></space></ip></space></ip></ip></space></ip></ip>
-
Are there any handler for the Bind package or is it just updated ad-hoc with no specific responsible ?
Either the explanation text needs to be updated to be more precise and clear EXACTLY how the text should be entered
or there is a need to make the input-field validation more robust to validate that it is actually IP-addresses and also
format the output so it follows the named.conf syntax.//Dan Lundqvist
Stockholm, Sweden -
Hi,
I think i found a bug in the Bind gui. I wanted to use negation when defining acls in bind views. The bind gui in Pfsense does not allow use of negation operator. The match-clients statement in named.conf is used to define list of clients that can access the view.
I tried to define the match-clients statement with negation as a custom option in view tab but got the following error: /etc/namedb/named.conf:115: 'match-clients' redefined near 'match-clients'. This happened after I had unselected all options in the match clients option box. I then defined the match clients options as a custom view option. After that bind refused to start.
It seems as though bind saves the match-clients box option even if we leave the match clients box empty. So there are 2 match client statements and that prevents bind from starting.
Thanks,
Nadir Latif
-
Nadir, It will force a gui update to work with negation.
I'll try to include it and forward ";" check while checking the package for 2.2
Thanks for the feedback Nadir and mrzaz
-
Hello marcelloc,
Thanks for handling this. Please remember that there may be more input fields that working similar to the one I reported. Especially in the ACL section.
Either better syntax checking / formatting or better updated information how to construct the text so it is not breaking the Bind config file and block startup.Best regards
Dan Lundqvist
MRZAZ.COM
Stockholm, Sweden -
This bug is still here in version 2.2.2, April 2015
-
This bug is still here in version 2.2.4, 09.2015