Closes: #707
Helps: #1570
- Network Manager's 'shared' connections use port 53 on those interfaces. Bind
by default also listens on them if possible. In some corner cases, this could
lead to a clash. This patch fixes to cases by making sure bind does not listen
on IP address likely used by Network Manager's 'shared' connections. If user
custom configures address, they will need to update the bind configuration
accordingly.
- App version increment is not necessary because in this release cycle we have
already incremented it once.
Tests:
- Install without patch. Increment the app version number (and the version
number in the privileged script). Notice that bind app setup is run again.
'listen-on' line is inserted into the configuration file as expected.
- Increment the version numbers again and a second 'listen-on' line is not
inserted.
- Without patch, on a machine with two network interfaces, start a 'shared'
network connection. Start bind. Notice the error that bind could not listen on
the shared network IP address.
- Without patch, on a machine with two network interface, start bind while
'shared' network connection is configured with just the IP address. Start bind
and it will listening on the IP address with shared network IP address.
Configure a shared connection and it fails to start.
- Apply the patch. Start 'shared' network connection. Start bind and notice that
bind does not attempt to listen on that shared network IP address and does not
print error message as well.
- Apply the patch. Start bind while 'shared' network connection is configured
with just the IP address. Bind does not attempt to listen on that shared network
IP address. Start the shared network connection. It start without issues.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #1196.
- systemd-resolved always contains the current list of known DNS servers taken
from systemd-networkd, network-manager, or by other means. It also has fallback
DNS servers. Forwarding requests to it allows correct and failsafe way to reach
external DNS servers.
Tests:
- Freshly install bind and notice that the fowarders list is set to 127.0.0.53.
- Install without the patch. Apply patch. Restart service. bind is upgraded to
new version and forwarder is set to 127.0.0.53 if it is blank. Otherwise, it
remains as is.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Without patch, disable bind. Incrementing the app's version number results in
bind getting started.
- With patch, disable bind. Incrementing the app's version number does not
result in bind getting started.
- Without patch, disable bind. Update forwarders. Bind is running again.
- With patch, disable bind. Update forwarders. Bind is not running again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- As of bind 9.16, the option to enable DNSSEC 'dnssec-enable' is obsolete and
has no effect[1]. The option 'dnssec-validation' controls DNSSEC validation and
is set to 'auto' by default. 'auto' means that DNSSEC validation is enabled and
default trust anchor is used for DNS root zone. DNSSEC signatures are also
passed onto a client whenever available. Current stable, Debian Buster, has
version 9.16[3].
- As of bind 9.18, the option to enable DNSSEC 'dnssec-enable' is not recognized
and causes the daemon to fail to start[2]. Debian next, Debian Bookworm, has
version 9.18[3]. Therefore, in testing and unstable, bind fails to start of
installation from FreedomBox.
- There is no use-case for changing the current default behavior.
Links:
1)
https://bind9.readthedocs.io/en/v9_16_32/reference.html#dnssec-validation-option
2) https://bind9.readthedocs.io/en/v9_18_6/reference.html
3) https://tracker.debian.org/pkg/bind9
Tests:
- Run functional and unit tests.
- Option to enable/disable DNSSEC is removed.
- When bind is installed on testing without the patch, it fails to start. When
the patch is applied, bind will be upgraded, the dnssec-enable option is removed
from the configuration file /etc/bind/named.conf.options and bind is running.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Initial setup:
- Creates zones directory
- Write default configuration
- named is restarted
- Forwarders
- Setting forwarders works as expected.
- Current list of forwarders is shown as expected
- List of served domains is shown properly
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
