Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bug in package "Bind" for pfSense causing it not to start.

    Scheduled Pinned Locked Moved pfSense Packages
    7 Posts 5 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrzaz
      last edited by

      Hello,

      I have found a bug in the package "Bind" for pfSense and I think it is a pfSense package bug and not a generic Bind bug.

      When package is installed and configured it always don't start with the following error:

      
      Nov 7 08:41:11 	named[64040]: exiting (due to fatal error)
      Nov 7 08:41:11 	named[64040]: loading configuration: failure
      Nov 7 08:41:11 	named[64040]: /etc/namedb/named.conf:22: missing ';' before '}'
      Nov 7 08:41:11 	named[64040]: loading configuration from '/etc/namedb/named.conf'
      .
      .
      Nov 7 08:41:11 	named[64040]: starting BIND 9.9.5-P1 -c /etc/namedb/named.conf -u bind -t /cf/named/
      
      

      I have verified this on 2 different installations wher one never have had bind installed prior.

      What I found is that the problem occurs when "Forwarder IPs" is defined.

      After inspecting the actual named.conf file in "/cf/named/etc/namedb/named.conf" I found a fault
      in row22:  "forwarders { xx.xx.xx.xx };"  NOTE: (i have left out the actual IP).

      The problem is that all values should end with a semicolon after the value also inside.
      eg.
      forwarders { xx.xx.xx.xx };
      SHOULD BE
      forwarders { xx.xx.xx.xx; };

      When I changed this in my installation, bind started up just fine and is now working OK.
      As the row above IS having my sitespecific DNS IP inserted it is not a fault caused by
      default bind files shipped with package but is modified by the local pfSense installation/package.

      Could responsible for the bind package, please update the package and release a working one.

      For remedy on existing installations to get bind working, do the following:

      • Diagnostics / Edit file
      • "Browse" for "/cf/named/etc/namedb/named.conf"
      • Modify row 22 and add a semicolon after the IP inside the { } in "forwarders { xx.xx.xx.xx**;** };"
      • Save file
      • Now try to start the Bind service again.

      NOTE!  This modification must be done EVERYTIME you modify anything in the pfSense Bind GUI as it saves
      the file again with the faulty missing semicolon. This means even if you just disable/enable the service.
      Any modification that requires the Save button to be pressed will remove the semicolon and it needs
      to be inserted manually again and restart service.

      UPDATED 2014-11-10:
      _I have reviewed the code and there is no validation of the input whatsoever for the "Forwarders" entry so it will accept anything including text. (this will of course not work with BIND)
      No validation/forming that the data to be written to the named.conf is in the correct format is done. The values from the form is written straight into to named.conf file.
      I think this is also valid for other multi-edit fields as well on other pages.

      This will make it easier to workaround though as it is now (short term) possible to write it in the correct format (as bind wants it) in the config page.
      Write it in the following form:_

      <ip>;

      or

      <ip>;<space><ip>;

      or

      <ip>;<space><ip>;<space><ip>;

      e.g.
      10.0.0.1;
      10.0.0.1; 10.0.0.2;
      10.0.0.1; 10.0.0.2; 10.0.0.3;

      //Dan Lundqvist</ip></space></ip></space></ip></ip></space></ip></ip>

      1 Reply Last reply Reply Quote 0
      • M
        mrzaz
        last edited by

        Are there any handler for the Bind package or is it just updated ad-hoc with no specific responsible ?

        Either the explanation text needs to be updated to be more precise and clear EXACTLY how the text should be entered
        or  there is a need to make the input-field validation more robust to validate that it is actually IP-addresses and also
        format the output so it follows the named.conf syntax.

        //Dan Lundqvist
        Stockholm, Sweden

        1 Reply Last reply Reply Quote 0
        • N
          nadir.latif
          last edited by

          Hi,

          I think i found a bug in the Bind gui. I wanted to use negation when defining acls in bind views. The bind gui in Pfsense does not allow use of negation operator. The match-clients statement in named.conf is used to define list of clients that can access the view.

          I tried to define the match-clients statement with negation as a custom option in view tab but got the following error: /etc/namedb/named.conf:115: 'match-clients' redefined near 'match-clients'. This happened after I had unselected all options in the match clients option box. I then defined the match clients options as a custom view option. After that bind refused to start.

          It seems as though bind saves the match-clients box option even if we leave the match clients box empty. So there are 2 match client statements and that prevents bind from starting.

          Thanks,

          Nadir Latif

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Nadir, It will force a gui update to work with negation.

            I'll try to include it and forward ";" check while checking the package for 2.2

            Thanks for the feedback Nadir and mrzaz

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • M
              mrzaz
              last edited by

              Hello marcelloc,

              Thanks for handling this.  Please remember that there may be more input fields that working similar to the one I reported. Especially in the ACL section.
              Either better syntax checking / formatting or better updated information how to construct the text so it is not breaking the Bind config file and block startup.

              Best regards
              Dan Lundqvist
              MRZAZ.COM
              Stockholm, Sweden

              1 Reply Last reply Reply Quote 0
              • H
                hobbes
                last edited by

                This bug is still here in version 2.2.2, April 2015

                1 Reply Last reply Reply Quote 0
                • RuddimasterR
                  Ruddimaster
                  last edited by

                  This bug is still here in version 2.2.4,  09.2015

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.