From nobody Mon Jul 01 07:46:04 2024
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WCJ4v1BJSz5PmpB
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Mon, 01 Jul 2024 07:46:07 +0000 (UTC)
	(envelope-from sthaug@nethelp.no)
Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 4WCJ4t66xtz4txt
	for <freebsd-stable@freebsd.org>; Mon,  1 Jul 2024 07:46:06 +0000 (UTC)
	(envelope-from sthaug@nethelp.no)
Authentication-Results: mx1.freebsd.org;
	none
Received: from localhost (bizet.nethelp.no [195.1.209.4])
	by bizet.nethelp.no (Postfix) with ESMTP id 6374E646B0A;
	Mon,  1 Jul 2024 09:46:04 +0200 (CEST)
Date: Mon, 01 Jul 2024 09:46:04 +0200 (CEST)
Message-Id: <20240701.094604.2129872793923031185.sthaug@nethelp.no>
To: freebsd@oldach.net
Cc: freebsd-stable@freebsd.org
Subject: Re: BIND 9.19.24 not listening to rndc port (953)
From: sthaug@nethelp.no
In-Reply-To: <202406301218.45UCImcO021592@nuc.oldach.net>
References: <20240630.134609.2166404118346455953.sthaug@nethelp.no>
	<202406301218.45UCImcO021592@nuc.oldach.net>
X-Mailer: Mew version 6.9 on Emacs 29.2
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:2116, ipnet:195.1.0.0/16, country:NO]
X-Rspamd-Queue-Id: 4WCJ4t66xtz4txt

>> # rndc status
>> rndc: connect failed: 127.0.0.1#953: connection refused
>> 
>> In syslog I can see among the startup messages:
>> 
>> Jun 30 12:53:31 nlab0 named[31772]: couldn't add command channel 127.0.0.1#953: permission denied
>> Jun 30 12:53:31 nlab0 named[31772]: couldn't add command channel ::1#953: permission denied
> 
> Potentially a change in 9.19's port binding logic triggering by mac_portacl(4)?
> 
> https://forums.freebsd.org/threads/named-could-not-listen-on-udp-socket-permission-denied.11196/
> 
> Does it help adding 953 to security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53?

Well, I don't use mac_portacl at all on this host, and there is no
sysctl OID security.mac.portacl.rules:

# sysctl security.mac.portacl.rules
sysctl: unknown oid 'security.mac.portacl.rules'

I could probably *make* it work with mac_portacl - however, I would
much prefer to get a solution which doesn't need special kernel
config etc.

Steinar Haug, AS2116