BIND-9.19.19 doesn't honor "rndc reload" for enabling/disabling the new proxy-mechanism
Summary
Testing BIND-9.19.19 with the new proxy protocol function, I recognized, that enabling/disabling the proxy-statement on the listen-on-statement requires a restart of named and doesn't be honored with rndc reload.
I'm not sure, if this is a bug or if it works as expected.
BIND version affected
$ named -V
BIND 9.19.19 (Development Release) <id:18a05ca>
running on Linux x86_64 4.18.0-425.19.2.el8_7.x86_64 #1 SMP Tue Apr 4 22:38:11 UTC 2023
built by make with '--prefix=/usr/local/bind-9.19.19' '--sysconfdir=/opt/chroot/bind/etc/named/' '--mandir=/usr/local/share/man' '--localstatedir=/opt/chroot/bind/var' '--enable-largefile' '--enable-full-report' '--without-gssapi' '--with-json-c' '--enable-dnstap' '--with-libxml' '--enable-singletrace' 'PKG_CONFIG_PATH=/usr/local/fstrm/lib/pkgconfig/:/usr/local/h2o/lib64/pkgconfig'
compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-16)
compiled with OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
compiled with libuv version: 1.41.1
linked to libuv version: 1.41.1
compiled with liburcu version: 0.10.1
compiled with jemalloc version: 5.2.1
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.0
linked to protobuf-c version: 1.3.0
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /opt/chroot/bind/etc/named/named.conf
rndc configuration: /opt/chroot/bind/etc/named/rndc.conf
nsupdate session key: /opt/chroot/bind/var/run/named/session.key
named PID file: /opt/chroot/bind/var/run/named/named.pidSteps to reproduce
- Start
namedwithout the proxy-feature
listen-on port 5353 { 10.100.102.21; 127.0.0.1; };
- Afterwards, add the proxy-feature to the
listen-on-statement
listen-on port 5353 proxy plain { 10.100.102.21; 127.0.0.1; };
- Reload
namedwithrndc reload - Verify, if
namedhonors the proxy-protocol (what's not the case now):
$ dig @10.100.102.21 -p 5353 isc.org +proxy
;; Warning: ID mismatch: expected ID 10605, got 3338- Because that's not working now, do a restart of
named:
$ systemctl restart named
- Query the resolver again:
$ dig @10.100.102.21 -p 5353 isc.org +proxy
; <<>> DiG 9.19.19 <<>> @10.100.102.21 -p 5353 isc.org +proxy
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62575
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6c3f83b370b29227010000006596bff6545d52c215a2e120 (good)
;; QUESTION SECTION:
;isc.org. IN A
;; ANSWER SECTION:
isc.org. 300 IN A 149.20.2.28
;; Query time: 356 msec
;; SERVER: 10.100.102.21#5353(10.100.102.21) (UDP)
;; CLIENT PROXY HEADER: LOCAL
;; WHEN: Thu Jan 04 15:25:58 CET 2024
;; MSG SIZE rcvd: 80What is the current bug behavior?
named doesn't honor enabling/disabling the proxy-feature in the listen-on-statement with rndc reload. Only a restart of named makes this working.
What is the expected correct behavior?
A rndc reload should be enough to enabling/disabling the proxy-feature.
Relevant configuration files
See the listen-on-snippet above.