Skip to content

DoT stops working after "rndc reconfigure" when running named as non-root

Summary

DoT stops working after "rndc reconfigure" when running named as non-root

BIND version used

BIND 9.18.0 (Stable Release) <id:8db45af>
running on FreeBSD amd64 12.3-STABLE FreeBSD 12.3-STABLE r371270 DNS_VIMAGE
built by make with  '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--enable-dnsrps' '--with-readline=libedit' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2' 'build_alias=amd64-portbld-freebsd12.2' 'CC=cc' 'CFLAGS=-O2 -pipe  -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c  -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'READLINE_CFLAGS=-L/usr/local/lib'
compiled by CLANG FreeBSD Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
compiled with OpenSSL version: OpenSSL 1.1.1m-freebsd  14 Dec 2021
linked to OpenSSL version: OpenSSL 1.1.1m-freebsd  14 Dec 2021
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libnghttp2 version: 1.44.0
linked to libnghttp2 version: 1.44.0
compiled with libxml2 version: 2.9.12
linked to libxml2 version: 20912
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.4.0
linked to protobuf-c version: 1.4.0
threads support is enabled

default paths:
  named configuration:  /usr/local/etc/namedb/named.conf
  rndc configuration:   /usr/local/etc/namedb/rndc.conf
  DNSSEC root key:      /usr/local/etc/namedb/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock

Also tried 9.17.18 (Installed from FreeBSD package) and 9.17.22 (compiled from source).

Steps to reproduce

Start named with the following command line:

/usr/local/sbin/named -t /var/named -u bind -c /usr/local/etc/namedb/named.conf

and with the following named.conf file:

options {
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        listen-on       { 193.75.110.2; 127.0.0.1; };
        listen-on       port 853 tls dotas2116 { 193.75.110.2; 127.0.0.1; };
        interface-interval 0;
        recursion       yes;
        max-cache-size  1500M;
        minimal-any     yes;
        minimal-responses yes;
        querylog        yes;
        allow-query     { 194.19.2.0/24; 193.75.110.0/24; 127.0.0.1; };
};

tls dotas2116 {
        cert-file       "/usr/local/etc/namedb/fullchain.pem";
        key-file        "/usr/local/etc/namedb/privkey.pem";
        protocols       { TLSv1.2; TLSv1.3; };
};

What is the current bug behavior?

After doing "rndc reconfigure" named no longer listens to TCP port 853. This is visible in the log:

Jan 31 16:29:08 nslum named[42849]: no longer listening on 127.0.0.1#853
Jan 31 16:29:08 nslum named[42849]: listening on IPv4 interface lo0, 127.0.0.1#853
Jan 31 16:29:08 nslum named[42849]: creating TLS socket: permission denied
Jan 31 16:29:08 nslum named[42849]: creating IPv4 interface lo0 failed; interface ignored
Jan 31 16:29:08 nslum named[42849]: no longer listening on 193.75.110.2#853
Jan 31 16:29:08 nslum named[42849]: listening on IPv4 interface ixl1.15, 193.75.110.2#853
Jan 31 16:29:08 nslum named[42849]: creating TLS socket: permission denied
Jan 31 16:29:08 nslum named[42849]: creating IPv4 interface ixl1.15 failed; interface ignored

Using "dig +tls" to test results in:

;; Connection to 193.75.110.2#853(193.75.110.2) for vg.no failed: connection refused.

and using the FreeBSD "sockstat" command shows named is not listening to TCP port 853.

What is the expected correct behavior?

The expected behavior is that "dig +tls" works, and resolves names normally. This works right after startup - and using the "sockstat command I can see that named is listening to TCP port 853:

Jan 31 16:27:10 nslum named[42849]: listening on IPv4 interface lo0, 127.0.0.1#853
Jan 31 16:27:10 nslum named[42849]: listening on IPv4 interface ixl1.15, 193.75.110.2#853

Relevant configuration files

See named.conf above.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)

Possible fixes

(If you can, link to the line of code that might be responsible for the problem.)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information