Re: BIND 9.19.24 not listening to rndc port (953)

From: Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net>
Date: Mon, 01 Jul 2024 09:49:38 UTC
On Sun, 30 Jun 2024, sthaug@nethelp.no wrote:

> Short description: Fresh install of bind9-devel-9.19.24_1 doesn't
> listen to localhost port 953, with the result that rndc doesn't work.
> Problem is 100% reproducible.
>
> Environment:
>
> - FreeBSD 13.3-STABLE #n257580
> - BIND 9.19.24 installed using "pkg install bind9-devel-9.19.24_1"
> - Default (directly from the package) named.conf, no changes
> - rc.conf has named_enable="YES" added
> - named started using service named start
>
> If I then try to use rndc, it doesn't work:
>
> # rndc status
> rndc: connect failed: 127.0.0.1#953: connection refused
>
> In syslog I can see among the startup messages:
>
> Jun 30 12:53:31 nlab0 named[31772]: couldn't add command channel 127.0.0.1#953: permission denied
> Jun 30 12:53:31 nlab0 named[31772]: couldn't add command channel ::1#953: permission denied

my first guess was something returns 1 and that is leaked to user space
as errno but reading on ...

> which explains the rndc error message - but doesn't explain *why*
> this happens.
>
> Other info:
>
> - BIND 9.18.24 on the same host works perfectly, with no rndc issues.
> - BIND 9.19.24 on the same host also works *if I change it to run as
> root* (by default it runs as user bind). The syslog messages are gone,
> and rndc works as expected.

That sounds like they try to open the priv port after they changed
users rather than before.

If you (as root) temporary chnage
sysctl net.inet.ip.portrange.reservedhigh=952
does it work then (as user bind)?
(don't forget to set it back after the experiment)

A ktrace might reveal more but I'd likely go to bind people and ask.
Seems like more chances.


> Speculation: 9.19.24 Release notes, under Feature changes, lists:
>
> Multiple RNDC messages are now processed when sent in a single TCP message.
>
> So maybe a bug introduced in connection with this feature change?
>
> Steinar Haug, AS2116
>
>

-- 
Bjoern A. Zeeb                                                     r15:7