Created attachment 222818 [details]
group yadifa

Created attachment 222819 [details]
user yadida

Hi, thanks for the update diffs.
But I don't think --enable-non-aa-axfr-support should be included to alter the default of "axfr-strict-authority" server setting from <main> section.
The default is more RFC conform than Microsoft DNS (rfc5936 requires the AA flag to be 1 in AXFR answers, if RCODE is 0 (no error), although RECOMMENDS clients to ignore...)
You can always adapt your config to your needs, no need to change default IMHO.

-harry

Created attachment 222846 [details]
Corrected GUId diff, dropped new configure directive

Please find attached the diff with corrected GIDs hunk and dropped --enable-non-aa-axfr-support configure directive.

Comment 5 Tobias Kortkamp 2021-02-26 14:56:07 UTC

Can you also please fix the typos and unbreak the DNSSECTOOLS, KEYGEN,
ZONESIGN options, that is, DNSSECTOOLS_OFF -> DNSSECTOOLS_CONFIGURE_OFF,
KEYGEN_ENABLE ->  KEYGEN_CONFIGURE_ENABLE,
ZONESIGN_ENABLE ->  ZONESIGN_CONFIGURE_ENABLE.

Thanks.

Comment 6 Juraj Lutter 2021-02-26 15:05:20 UTC

Also, portlint, portfmt, portclippy are handy, too.

Created attachment 222915 [details]
Yadifa 2.4.2 svndiff

All alterations, corrections and contributions merged.
Thanks you, everybody.

Tested fine (against 11.4 AMD and 12.2 AMD).

Comment on attachment 222846 [details]
Corrected GUId diff, dropped new configure directive

(merged with 222915)

During my brief tests, I found a significant issue regarding 'listen' resp. 'do-not-listen' directives, which breaks yadifad answering UDP queries:
https://github.com/yadifa/yadifa/issues/14
This is only true for IPv4, IPv6 UDP replies (aswell as TCP4+6) still work after defining 'listen' resp. 'do-not-listen" directives!

The port's rc script doesn't handle chroot() at all
(<main>
chroot                      yes
chroot-path                 "/var/yadifa"
</main>)

The bind port/base rc script does a quiet good job in populating a chroot-sandbox with the required directories/permissions and I think also handles syslog (socket) and PID well.  It's unlikely that I find time to start debugging the UDP 'listen'-breakage and this is a show stopper for me.  So unfortunately cloning bind's rc routines will be left to someone else most likely - depends on my further tests with knot3 ...

Thanks!
-harry

(In reply to Harald Schmalzbauer from comment #9)
I recognize all you say.

I suspect the listening problem is likely best solved by the vendor, so thanks for already reporting it there. And thanks for confirming it was not just at me.

The rc script indeed doesn't handle chroot, but you can do that in the configfile. For me chrootpath worked as expected.

Documentation is always behind and/or incomplete or sometimes even incorrect.
Like "chroot-path / chrootpath" is not in the example config (but in the 2.3.9 manual).

The rc script doesn't populate chroot directories, since pkg-plist does that at install. But I improved the creation now that -since this update- there is a UID/GID.

All the directory settings can be controlled from the config file, which I deem the correct place to do so (and so don't feel much for doing things twice, but I see room for improvement). So yes, I hear you. But offering both chroot and non-chroot all perfect and adhire to BSD standards is impossible anyway. So I leave configuration up to the user, but maybe in the futures I could patch the yadifad.conf.sample with more useful pointers than there are currently.

The UDP problem can be avoided using dnsdist in front of it, and additionally offers loadbalancing, failover and abuse-mitigation. I tried if it may have been caused in the rc script or in the config (the "network-model" setting), but looks like a problem I cannot solve so easily.

Anyway, I'm grateful for your feedback.

Leo.

Created attachment 223135 [details]
Yadifa 2.4.2 v3

This latest patch additionally:
- corrects the configure settings in Makefile
- improves the rc to use uid/gid
- corrects uid/gid of created dirs in pkg-plist