Bind upgrade producing errors on pfsense 2.5 upgrade

nordeep

The same for me. Seems named is going to Segmentation fault if tried to start with -t(chroot).
Looking forward to a fix.
Roll back to 2.4

viktor_g

still don't understand how to reproduce this issue,
clean install on 2.5 CE with minimal configuration:

Feb 21 19:56:08 pf42 named[54874]: starting BIND 9.16.11 (Stable Release) <id:9ff601b>
Feb 21 19:56:08 pf42 named[54874]: running on FreeBSD amd64 12.2-STABLE FreeBSD 12.2-STABLE d48fb226319(devel-12) pfSense
Feb 21 19:56:08 pf42 named[54874]: built with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--without-libidn2' '--with-json-c' '--disable-largefile' '--without-lmdb' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2' 'build_alias=amd64-portbld-freebsd12.2' 'CC=cc' 'CFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
Feb 21 19:56:08 pf42 named[54874]: running as: named -c /etc/namedb/named.conf -u bind -t /cf/named/
Feb 21 19:56:08 pf42 named[54874]: compiled by CLANG FreeBSD Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
Feb 21 19:56:08 pf42 named[54874]: compiled with OpenSSL version: OpenSSL 1.1.1i-freebsd  8 Dec 2020
Feb 21 19:56:08 pf42 named[54874]: linked to OpenSSL version: OpenSSL 1.1.1i-freebsd  8 Dec 2020
Feb 21 19:56:08 pf42 named[54874]: compiled with libxml2 version: 2.9.10
Feb 21 19:56:08 pf42 named[54874]: linked to libxml2 version: 20910
Feb 21 19:56:08 pf42 named[54874]: compiled with json-c version: 0.15
Feb 21 19:56:08 pf42 named[54874]: linked to json-c version: 0.15
Feb 21 19:56:08 pf42 named[54874]: compiled with zlib version: 1.2.11
Feb 21 19:56:08 pf42 named[54874]: linked to zlib version: 1.2.11
Feb 21 19:56:08 pf42 named[54874]: ----------------------------------------------------
Feb 21 19:56:08 pf42 named[54874]: BIND 9 is maintained by Internet Systems Consortium,
Feb 21 19:56:08 pf42 named[54874]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 
Feb 21 19:56:08 pf42 named[54874]: corporation.  Support and training for BIND 9 are 
Feb 21 19:56:08 pf42 named[54874]: available at https://www.isc.org/support
Feb 21 19:56:08 pf42 named[54874]: ----------------------------------------------------
Feb 21 19:56:08 pf42 named[54874]: found 1 CPU, using 1 worker thread
Feb 21 19:56:08 pf42 named[54874]: using 1 UDP listener per interface
Feb 21 19:56:08 pf42 named[54874]: using up to 21000 sockets
Feb 21 19:56:08 pf42 named[54874]: loading configuration from '/etc/namedb/named.conf'
Feb 21 19:56:08 pf42 named[54874]: unable to open '/usr/local/etc/namedb/bind.keys'; using built-in keys instead
Feb 21 19:56:08 pf42 named[54874]: using default UDP/IPv4 port range: [49152, 65535]
Feb 21 19:56:08 pf42 named[54874]: using default UDP/IPv6 port range: [49152, 65535]
Feb 21 19:56:08 pf42 named[54874]: listening on IPv4 interface vtnet2, 172.16.16.42#53
Feb 21 19:56:08 pf42 named[54874]: listening on IPv6 interface vtnet2, fc00:172::42#53
Feb 21 19:56:08 pf42 named[54874]: generating session key for dynamic DNS
Feb 21 19:56:08 pf42 named[54874]: sizing zone task pool based on 0 zones
Feb 21 19:56:08 pf42 named[54874]: using built-in root key for view _default
Feb 21 19:56:08 pf42 named[54874]: set up managed keys zone for view _default, file 'managed-keys.bind'
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 10.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 16.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 17.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 18.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 19.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 20.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 21.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 22.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 23.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 24.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 25.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 26.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 27.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 28.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 29.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 30.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 31.172.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 168.192.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 64.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 65.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 66.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 67.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 68.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 69.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 70.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 71.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 72.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 73.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 74.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 75.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 76.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 77.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 78.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 79.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 80.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 81.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 82.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 83.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 84.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 85.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 86.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 87.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 88.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 89.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 90.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 91.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 92.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 93.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 94.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 95.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 96.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 97.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 98.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 99.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 100.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 101.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 102.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 103.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 104.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 105.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 106.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 107.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 108.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 109.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 110.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 111.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 112.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 113.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 114.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 115.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 116.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 117.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 118.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 119.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 120.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 121.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 122.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 123.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 124.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 125.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 126.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 127.100.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 0.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 127.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 254.169.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: D.F.IP6.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 8.E.F.IP6.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 9.E.F.IP6.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: A.E.F.IP6.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: B.E.F.IP6.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: EMPTY.AS112.ARPA
Feb 21 19:56:08 pf42 named[54874]: automatic empty zone: HOME.ARPA
Feb 21 19:56:08 pf42 named[54874]: command channel listening on 127.0.0.1#8953
Feb 21 19:56:08 pf42 named[54874]: dns_rdata_fromtext: managed-keys.bind:10: near eol: unexpected end of input
Feb 21 19:56:08 pf42 named[54874]: managed-keys-zone: loading from master file managed-keys.bind failed: unexpected end of input
Feb 21 19:56:08 pf42 named[54874]: managed-keys-zone: loaded serial 11
Feb 21 19:56:08 pf42 named[54874]: all zones loaded
Feb 21 19:56:08 pf42 named[54874]: running
Feb 21 19:56:08 pf42 named[54874]: REFUSED unexpected RCODE resolving './DNSKEY/IN': 8.8.8.8#53
Feb 21 19:56:18 pf42 named[54874]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Feb 21 19:56:18 pf42 named[54874]: resolver priming query complete

/cf/named/etc/namedb/named.conf:

#Bind pfsense configuration
#Do not edit this file!!!

 key "rndc-key" {
 	algorithm hmac-sha256;
 	secret "UeBwwrg21QirnwHQnl/H36PjGXa0q3hBIewPKXH6/20=";
 };

 controls {
 	inet 127.0.0.1 port 8953
 		allow { 127.0.0.1; } keys { "rndc-key"; };
 };



options {
	directory "/etc/namedb";
	pid-file "/var/run/named/pid";
	statistics-file "/var/log/named.stats";
	max-cache-size 256M;
	dnssec-validation auto;

	listen-on-v6 port 53 { fc00:172::42;  };
	listen-on port 53 { 172.16.16.42;  };
	forwarders { 8.8.8.8; };
	
};

matthijs

In my case its saying after listening on IP interfaces in the log

creating TCP socket: address in use

like port 953 is already in use or so

wrgraves

Might be a problem in our configs. Hope to have an extra box tomorrow night so I can build a fresh install and load my config sometime after that. I can't take down my failed box. Have uninstalled Bind and turned on unbound and switched to Bind on another box until this is resolved.

matthijs

FYI I already did a fresh install and restored my configuration, same problem

wrgraves

@matthijs did bind work before you installed your config ?

matthijs

I have a working 2.4.5 VM running (with no bind problems), If I upgrade to 2.5 I have bind issues.
I also did a fresh 2.5.0 install and restored my 2.4.5 configuration, in both situations I have bind issues

matthijs

I also have ACME implemented with Bind/DNS, so I have ACME keys in Global Settings (main configuration menu - > Advanced Options button) Maybe this is something in common with other people also having issues with bind and 2.5.0 ?

wrgraves

@matthijs I was asking if you tried to install and test Bind on a fresh install of 2.5 before your loaded your config into it ?

matthijs

@wrgraves No I did not do a fresh bind install on a fresh 2.5.0 install (I guess that works fine, like in your situation?)

nordeep

After upgrade to 2.5. Simple run: /usr/local/sbin/named -4 -c /etc/namedb/named.conf -u bind -t /cf/named/ result is Segmentation fault.

I'm using common bind setup - 1 view, 2 zones, 4 ACLs, No Sync.

wrgraves

@matthijs I have not done that yet. It would take too much downtime. I have a spare system on order that is do tomorrow. Once that's available I should be able to build a stand alone system and try that.

matthijs

@wrgraves
I guess that would work, but I am hoping a full manual reconfiguration of my bind/acme setup with all the dns zones wont be necessary ;-)

anthonypants

@wrgraves I mentioned it earlier, but if you run named from the console and don't give it the configuration file, it seems to work fine.

viktor_g

@nordeep said in Bind upgrade producing errors on pfsense 2.5 upgrade:

After upgrade to 2.5. Simple run: /usr/local/sbin/named -4 -c /etc/namedb/named.conf -u bind -t /cf/named/ result is Segmentation fault.

I'm using common bind setup - 1 view, 2 zones, 4 ACLs, No Sync.

/usr/local/sbin/named -4 -c /etc/namedb/named.conf -u bind -t /cf/named/ works fine for me

Could you provide your views/zones/acls configuration?
You can hide your private data by changing domain/IP.

nordeep

@viktor_g said in Bind upgrade producing errors on pfsense 2.5 upgrade:

Could you provide your views/zones/acls configuration?

cat /cf/named//etc/namedb/named.conf

#Bind pfsense configuration
#Do not edit this file!!!

 key "rndc-key" {
        algorithm hmac-sha256;
        secret "====";
 };

 controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };



options {
        directory "/etc/namedb";
        pid-file "/var/run/named/pid";
        statistics-file "/var/log/named.stats";
        max-cache-size 256M;
        dnssec-validation auto;

        listen-on-v6 port 53 { any; };
        listen-on port 53 { any; };
        notify yes;
        version none;

};



acl "ff" {
        8.8.8.8;
        8.8.4.4;
        4.4.8.8;
};

acl "dd" {
        8.8.8.8;
};

acl "gw" {
        9.9.9.9;
};

view "default" {
        recursion yes;
        match-clients { any; };
        allow-recursion { localhost; localnets; };

        zone "13" {
                type master;
                file "/etc/namedb/master/default/13.DB";
                allow-query { any; localhost; localnets; ff; dd; gw; };
                allow-transfer { ff; };
                allow-update { localhost; gw; };
                also-notify { 9.9.9.9;};
        };

        zone "tt.spb.ru" {
                type master;
                file "/etc/namedb/master/default/tt.spb.ru.DB";
                allow-query { any; };
                allow-transfer { ff; };
                allow-update { localhost; };
        };

        zone "." {
                type hint;
                file "/etc/namedb/named.root";
        };

};

madforic

Same issue after upgrade to 2.5.0
unable to start bind

wrgraves

@viktor_g Ok, brought up a test machine and installed a fresh pfsense 2.5 and of course the caching bind config works so I restored my config and of course it gets the segment fault in named and dies so I decided to find an example install for bind, I used this one -> https://www.youtube.com/watch?v=Sgn4oNy85_o
And as I went thru it I corrected several mistakes in my zones. Then used Status/Services to restart named and it works now. It looks like a bad zone will segment fault and crash your bind. I've been using these zones for years and that never happened in the past. A new feature?
I put the changes in my production machine.
and now I am up!!!

matthijs

@viktor_g What mistakes were in your zones ? and how to correct if all this configuration gets generated by the webinterface ?

horrza

@wrgraves Thank you!