From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Mar 4 21:48:37 2015 Return-Path: Delivered-To: freebsd-ports-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 63B2CA78 for ; Wed, 4 Mar 2015 21:48:37 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 440B8797 for ; Wed, 4 Mar 2015 21:48:37 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t24Lma7A078869 for ; Wed, 4 Mar 2015 21:48:36 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 198293] bind UDP dnssec failing Date: Wed, 04 Mar 2015 21:48:37 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: brads@nyctelecomm.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 21:48:37 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198293 Bug ID: 198293 Summary: bind UDP dnssec failing Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: brads@nyctelecomm.com I am trying to configure DNSSEC as a master/slave. Following signing the zone and uploading the DS record to my provider, I am able to see what appears to be the proper output from dnssec-verify dnssec-verify -o ex-mailer.com ex-mailer.com.external.signed Loading zone 'ex-mailer.com' from file 'ex-mailer.com.external.signed' Verifying the zone using the following algorithms: RSASHA256. Zone fully signed: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked but 3rd party tools such as http://dnsviz.net/d/ex-mailer.com/dnssec/ and/or http://dnssec-debugger.verisignlabs.com/ex-mailer.com say that my configuration is very incorrect and that UDP is not responding. netstat -an|grep 53 tcp4 0 0 127.0.0.1.953 *.* LISTEN tcp4 0 0 127.0.0.1.53 *.* LISTEN tcp6 0 0 ::1.53 *.* LISTEN tcp4 0 0 107.191.60.48.53 *.* LISTEN tcp6 0 0 2001:19f0:7000:8.53 *.* LISTEN udp4 0 0 127.0.0.1.53 *.* udp6 0 0 ::1.53 *.* udp4 0 0 107.191.60.48.53 *.* udp6 0 0 2001:19f0:7000:8.53 *.* But, after 10 min or so, UDP on my IPv4 address begins to fail and the port will close. I get these errors following # tail -f /var/log/named/named.log 04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored 04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored 04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied 04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied 04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored 04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored 04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied 04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied 04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored 04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored ^C # updatedb >>> WARNING >>> Executing updatedb as root. This WILL reveal all filenames >>> on your machine to all login users, which is a security risk. # locate named.pid /var/run/named/named.pid Yet dig appears to query just finefollowing start of named: before restart, following UDP freeze gentoo-mini ~ # dig ex-mailer.com ANY @107.191.60.48 ; <<>> DiG 9.9.5 <<>> ex-mailer.com ANY @107.191.60.48 ;; global options: +cmd ;; connection timed out; no servers could be reached after restart of named gentoo-mini ~ # dig ex-mailer.com ANY @107.191.60.48 ; <<>> DiG 9.9.5 <<>> ex-mailer.com ANY @107.191.60.48 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56608 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ex-mailer.com. IN ANY ;; Query time: 199 msec ;; SERVER: 107.191.60.48#53(107.191.60.48) ;; WHEN: Wed Mar 04 06:15:32 EST 2015 ;; MSG SIZE rcvd: 42 master config: acl "trusted" { 108.61.190.64; 107.191.60.48; 2001:19f0:7000:8945::64; 2001:19f0:6c00:8141::64; 108.61.10.10; 127.0.0.1/32; ::1/128; }; acl "outside" { any; }; options { directory "/usr/local/etc/namedb/working/"; pid-file "/var/run/named/named.pid"; dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; transfer-source 108.61.10.10; listen-on-v6 { ::1; 2001:19f0:6c00:8141::64;}; listen-on { 127.0.0.1; 108.61.190.64;}; max-cache-ttl 1600; version none; allow-query { any; /* trusted; */ }; allow-query-cache { trusted; }; allow-transfer { trusted; }; allow-update { trusted; }; //forward first; forwarders { 108.61.10.10; 108.61.190.64; 107.191.60.48; }; }; logging { category default { default_log; }; category queries { resolver_file; }; channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; severity warning; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; category default { default_log; }; category general { default_log; }; }; /* include "/usr/local/etc/namedb/rndc.key"; */ controls { inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {"rndc-key"; }; }; key "rndc-key" { algorithm hmac-md5; secret "KcnxhOeXddg8dRNrn9Qfew=="; }; view "external" { match-clients { outside; }; match-destinations { outside; }; recursion yes; allow-query { outside; }; zone "." IN { type hint; file "/usr/local/etc/namedb/named.root"; }; zone "ex-mailer.com" { type master; allow-transfer {107.191.60.48;}; also-notify {107.191.60.48;}; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/ex-mailer.com.external.signed"; }; zone "190.61.108.in-addr.arpa"{ type master; file "/usr/local/etc/namedb/reverse.external"; }; zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/127.0.0.1"; }; }; slave config: acl "trusted" { 108.61.190.64; 107.191.60.48; 2001:19f0:7000:8945::64; 2001:19f0:6c00:8141::64; 108.61.10.10; 127.0.0.1/32; ::1/128; }; acl "outside" { any; }; options { directory "/usr/local/etc/namedb/working/"; pid-file "/var/run/named/named.pid"; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; auth-nxdomain no; transfer-source 108.61.10.10; listen-on-v6 { ::1; 2001:19f0:7000:8945::64;}; listen-on { 127.0.0.1; 107.191.60.48;}; max-cache-ttl 1600; version none; allow-new-zones yes; allow-query { any; /* trusted; */ }; allow-query-cache { trusted; }; allow-transfer { trusted; }; allow-update { trusted; }; //forward first; forwarders { 108.61.10.10; 108.61.190.64; 107.191.60.48; }; }; logging { category default { default_log; }; category queries { resolver_file; }; channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; severity warning; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; category default { default_log; }; category general { default_log; }; }; #include "/usr/local/etc/namedb/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {"rndc-key"; }; }; key "rndc-key" { algorithm hmac-md5; secret "N/SB9HZwr5yRIBwtRjcA6A=="; }; view "external" { match-clients { outside; }; match-destinations { outside; }; recursion yes; allow-query { outside; }; zone "." IN { type hint; file "/usr/local/etc/namedb/named.root"; }; include "/usr/local/etc/namedb/tmp/zonelist.db"; zone "ex-mailer.com" { type slave; masters {108.61.190.64;}; allow-notify{108.61.190.64;}; allow-transfer {none;}; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/ex-mailer.com.external.signed"; }; zone "190.61.108.in-addr.arpa"{ type master; file "/usr/local/etc/namedb/reverse.external"; }; zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/127.0.0.1"; }; }; -- You are receiving this mail because: You are the assignee for the bug.