From nobody Mon Jul 01 09:49:38 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WCLqg4kLGz5PwYh for ; Mon, 01 Jul 2024 09:49:51 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WCLqg2WlFz486W for ; Mon, 1 Jul 2024 09:49:51 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Authentication-Results: mx1.freebsd.org; none Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mx-01.divo.sbone.de (Postfix) with ESMTPS id 30C56A64805; Mon, 01 Jul 2024 09:49:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net; s=20240622; t=1719827382; bh=rZQBb1Heer4xLuxChHbQOrEtk1wOcY9bAEg8udkuC04=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=YxQVZN1iYZseZ2ephf5ulsh0sBU3WulE9OIdzQqYUUHLJPftVFpTVfvyJI+T1JDFR QuAtWH+wY5IFGKr3F3lBZrt1WrTYHcMeEJ1iGo+uTa6HsM9+sT0cdG6YgekWvg89LL UmYkWqxdJgdORTlTG+d7KbLuZU+FR9p36SubOO42xdXpDApxwdiVRmt7SqKCDf8qOi N2vKu++CzPyPeoR8aLqd9Bnjt84C42q7/try84f4/6N7HvOzw2Zb2KF3euc7vYVQSw hxoooBn7uIRODL34CHJYvPFyMR/cFT5oUs9YLVd3jcl7uhI/0mBWbWU+GqgECyRdHV khe6AHVES7mjJtyv5B36rODGjP4msgdGPPwNaMaKK9mONqYWMxWH4AiK4iniXPYM6B RfAae9bxRgK3LGyUiYY3Ta7m9AUtHj31bQrAEVHoULJ5fXvNafCs+cclQFP9E7ng6e 7uiskijxcO3vdCKLlS0k0Nt6FBBiPj0CO+Zm8WUF8YUeZtYtQQeDQS33Ly1cdqsMT4 fM4PDtEUsO8KDyNOYLY7uGPY/0/zyUi0PAdmfIpXTAacxkUCBhxAmFVOEyVkb7o/Ho 7jK6PH6HEUhTMrmVlcdyon099UhZPSTNgu19/VsMm6FOyNoOG0J+Q5KGKWImO6/uPK JZk94/52clxF5o0ydyzjN6Ck= Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 446CC2D029D8; Mon, 1 Jul 2024 09:49:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024) with ESMTP id xny8togKOfQQ; Mon, 1 Jul 2024 09:49:40 +0000 (UTC) Received: from strong-iwl0.sbone.de (strong-iwl0.sbone.de [IPv6:fde9:577b:c1a9:4902:b66b:fcff:fef3:e3d2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id B40662D029D2; Mon, 1 Jul 2024 09:49:40 +0000 (UTC) Date: Mon, 1 Jul 2024 09:49:38 +0000 (UTC) From: "Bjoern A. Zeeb" To: sthaug@nethelp.no cc: freebsd-stable@freebsd.org Subject: Re: BIND 9.19.24 not listening to rndc port (953) In-Reply-To: <20240630.134609.2166404118346455953.sthaug@nethelp.no> Message-ID: <38321p06-q966-p811-oqpq-q679qpo9pp31@yvfgf.mnoonqbm.arg> References: <20240630.134609.2166404118346455953.sthaug@nethelp.no> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE] X-Rspamd-Queue-Id: 4WCLqg2WlFz486W On Sun, 30 Jun 2024, sthaug@nethelp.no wrote: > Short description: Fresh install of bind9-devel-9.19.24_1 doesn't > listen to localhost port 953, with the result that rndc doesn't work. > Problem is 100% reproducible. > > Environment: > > - FreeBSD 13.3-STABLE #n257580 > - BIND 9.19.24 installed using "pkg install bind9-devel-9.19.24_1" > - Default (directly from the package) named.conf, no changes > - rc.conf has named_enable="YES" added > - named started using service named start > > If I then try to use rndc, it doesn't work: > > # rndc status > rndc: connect failed: 127.0.0.1#953: connection refused > > In syslog I can see among the startup messages: > > Jun 30 12:53:31 nlab0 named[31772]: couldn't add command channel 127.0.0.1#953: permission denied > Jun 30 12:53:31 nlab0 named[31772]: couldn't add command channel ::1#953: permission denied my first guess was something returns 1 and that is leaked to user space as errno but reading on ... > which explains the rndc error message - but doesn't explain *why* > this happens. > > Other info: > > - BIND 9.18.24 on the same host works perfectly, with no rndc issues. > - BIND 9.19.24 on the same host also works *if I change it to run as > root* (by default it runs as user bind). The syslog messages are gone, > and rndc works as expected. That sounds like they try to open the priv port after they changed users rather than before. If you (as root) temporary chnage sysctl net.inet.ip.portrange.reservedhigh=952 does it work then (as user bind)? (don't forget to set it back after the experiment) A ktrace might reveal more but I'd likely go to bind people and ask. Seems like more chances. > Speculation: 9.19.24 Release notes, under Feature changes, lists: > > Multiple RNDC messages are now processed when sent in a single TCP message. > > So maybe a bug introduced in connection with this feature change? > > Steinar Haug, AS2116 > > -- Bjoern A. Zeeb r15:7