Bug 223403 - [patch proposal] dns/bind911: Make rc.d/named session key aware in make_symlinks() for named_chrootdir!=""
Summary: [patch proposal] dns/bind911: Make rc.d/named session key aware in make_symli...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Mathieu Arnold
Depends on:
Reported: 2017-11-03 17:21 UTC by Harald Schmalzbauer
Modified: 2017-11-07 15:49 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (mat)

Also symlink bind's session-keyfile when running in chrootdir. (2.06 KB, patch)
2017-11-03 17:21 UTC, Harald Schmalzbauer
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Harald Schmalzbauer 2017-11-03 17:21:27 UTC
Created attachment 187699 [details]
Also symlink bind's session-keyfile when running in chrootdir.

While there's convinient 'rndc' usage out of the box,
'nsupdate -l' is only convinient if named_symlink_enable=NO (named_chrootdir="").

Attached diff handles session-keyfile config option and the resulting symlinking exactly the same way as rc.d/named and rc.subr do it for pid-file config option.
this is not really the most elegant way, but I always prefer consistency over simplicity/beauty.
Comment 1 Harald Schmalzbauer 2017-11-03 17:25:24 UTC
Comment on attachment 187699 [details]
Also symlink bind's session-keyfile when running in chrootdir.

Sorry, forgot to clean whitespace (style?) for get_sessionkeyfile_from_conf() in the attached patch. Copy'n'paste from rc.subr mutilated tab stops. No need to attach a replacing diff?
Comment 2 Mathieu Arnold freebsd_committer 2017-11-06 14:12:52 UTC
Is it not possible to use get_pidfile_from conf to get the session file ? It would probably be better rather than dupplicating all the code.

Side question as I never used that file, in which version of BIND9 is it supported ? (To see which ports to apply this patch to.)
Comment 3 Harald Schmalzbauer 2017-11-06 15:06:59 UTC
I have 910 and 911 from ports and can confirm that both install nsupdate(1) with '-l' (session.key) capability.

I found a older FreeBSD 9.3 setup, with bind/named(8) in base, which answers 'chaos version.bind txt' with 9.9.5 (config checked, seems unaltered answer, although I'd bet money that it would be bind 8...)
Anyway, also this version of nsupdate(1) looks for a session key in -l (local) mode.

Unfortunately I can't help finding a better solution than dumb code copy at the moment.
Will come back to that topic maybe in some weeks, then I can see if 
get_pidfile_from is usable for session.key determination.

This is not an urgent issue I think, most times fellows using nsupdate(1) might have rolled out individual keys and do their tasks remotely.  It was just one special setup where I ever used '-l'.
Just wanted to record this area of possible improvement.


Comment 4 Mathieu Arnold freebsd_committer 2017-11-07 15:48:12 UTC
I removed the copy you did of get_pidfile_from_conf and used it for the session-keyfile line, it works just fine.
Comment 5 commit-hook freebsd_committer 2017-11-07 15:49:29 UTC
A commit references this bug:

Author: mat
Date: Tue Nov  7 15:48:17 UTC 2017
New revision: 453667
URL: https://svnweb.freebsd.org/changeset/ports/453667

  Add a symlink to named's session-keyfile.

  Using nsupdate -l, and chroot was broken because nsupdate could not find
  the keyfile by itself.

  PR:		223403
  Submitted by:	Harald Schmalzbauer
  Sponsored by:	Absolight