pkg-bind: Correct filenames so DNSSEC signs Reverse Zones #215
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The default behaviour of BIND is that Slaves will send NOTIFY to other Secondaries. In pfSense, ```notify no``` in all Slave zones prevents this default behaviour, which is unexpected and looks like a bug until inspecting named.conf.
There is no way to overcome this ```notify no```, even when putting ```notify explicit {}``` into Custom Options of surrounding views for example. Even worse, BIND will throw an error when putting another ```notify yes|explicit {}``` into Custom Options of zones, and named will subsequently fail to start.
Admins who do want to prevent their Slaves from sending NOTIFY should put ```notify no``` explicitly into the Custom Options.
In my use case however, I need my Slaves to send NOTIFY to I/AXFR servers of the global anycast Secondaries at DNSMadeEasy using in the Custom Options of the view ```notify explicit;
also-notify {
208.94.147.135;
208.94.150.198;
63.219.151.12;
}; ```
This only works with the proposed PR.
hb9cwp
changed the title
hb9cwp
changed the title
|
Manually merged, thanks! |
netgate-git-updates
pushed a commit
that referenced
this pull request
Aug 17, 2017
[ Robert Edmonds ] * Release 1.3.0. * Add test case for the issue in #220 (#254). * Fix issue #251, "Bad enums with multiple oneofs" (#256). * Add warning flags to my_CFLAGS (#257). * Fix namespace errors when compiled with latest protobuf (#280). * Bump minimum required header version for proto3 syntax (#282). [ Paolo Borelli ] * Turn the compiler into a protoc plugin (#206). This allows the protobuf-c compiler to be invoked as "protoc --c_out=...". For backwards compatibility, we still ship a protoc-c command, but it's a symlink to the protoc-gen-c binary. * proto3 support (#228). * Remove leftover FIXME comment (#258). * Fix proto3 "is zeroish" evaluation (#264). * Small cleanup in oneof handling (#265). * Rework is_zeroish one more time (#267). * proto3: make strings default to "" instead of NULL (#274). [ Tomek Wasilczyk ] * Fix -Wsign-compare warnings (#213). * Fix ISO C90 -Wdeclaration-after-statement warnings (#214). * Fix bigendian -Wunused-label warning (#215). [ Ilya Lipnitsky ] * protoc-c/c_message.cc: Force int size on oneof enums (#221). Fixes wrong enum generation and handling for onceof cases (#220). [ Adnan ] * Fix cmake build if built as part of an external project (#231). [ Gregory Detal ] * Remove .pb.{cc,h} in distdir instead of top_distdir in order to prevent removing files from other projects when protobuf-c is included as an autotools subproject (#232). [ Ben Farnham ] * Relax autoconf constraint from v2.64 to v2.63 so that it works on older Linux distros (#233). [ Thomas Koeckerbauer ] * rm argument fix for Solaris (#234). * Add 'const' qualifier to 'init_value' variable in generated files (#236). [ Richard Kettlewell ] * Document and extend the effect of passing NULL to ..._free_unpacked functions (#255). [ Alex Milich ] * CMake: Workaround for static builds that use MSVC (#243). [ Josh Junon ] * CMake: Allow protobuf-c to be included via include_subdirectory (#245). [ Alexei Kasatkin ] * CMake: Windows fixes (#266). This fixes the build breakage with devel/protobuf 1.3.0 [1] PR: 221572 [1] Sponsored by: Farsight Security, Inc.
netgate-git-updates
pushed a commit
that referenced
this pull request
Sep 26, 2022
* 2.6.1 - use 'zu' format string in deduper_dump() (#196) - ctype.h functions require int arguments. cygwin gcc enforces this. Update version to 2.6.1 * 2.6.2 - fix three memory leaks revealed by valgrind (#202) - see if we can remove the need for res_rcode() by changing the error path (#200) - use strtok_r() in preference to strsep(), for consistency and modernity (#203) - based on PR 204, refactor and comment for clarity (#205) * 2.6.3 - replace strtok_r() by new tokstr library - tokstr_h was a typo, thanks to codereview.stackexchange.com for finding it - attempt to work around gcc11 structure size checks (#207) - tokstr regions (#208) - Revised fix for issue 209: "error: unknown type ssize_t; did you mean _ssize_t?" (#211) - Can now build on Apple M1 processors by following the instructions (#212) - Clarify that not all macOS M1 machines have homebrew in the new /opt/homebrew location - Document again the HTTPS_PROXY environment variable * 2.6.4 - Issue 214: batch option parsing bug in tokstr library changes. (#215) Sponsored by: DomainTools
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Without this change, inline signing fails to sign Reverse Zones because BIND expects to find the key files which were generated by
dnssec-keygenwith filenames/cf/named/etc/namedb/keys/K171.168.192.in-addr.arpa.+00....Still, this patch does not fix the problem where keys are restored from DNSSEC backup file for a zone that was previously created, then deleted, and finally re-created. Currently, when re-creating the signed Reverse Zone, it will restore the keys from the XML config using the (wrong) old filename. DNSSEC inline signing will fail to sign the newly created Reverse Zone.
Perhaps, it will be cleaner/simpler to refactor the code for Reverse Zones so to require the user to enter the full name of Reverse Zones, e.g. with trailing .in-addr.arpa. or .ip6.arpa. in $zonename.
This would also facilitate first time use of Reverse Zones in pfSense as the BIND package will not auto-magically append this stuff to Reverse Zones, and behave as one would expect?