dns/pfSense-pkg-bind: freeze dynamic zones #689
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jim-p
requested changes
Oct 22, 2019
jim-p
requested changes
Oct 22, 2019
overhacked
force-pushed
the
bind-freeze-zones
branch
from
4890910
to
8646bd0
Compare
jim-p
requested changes
Oct 23, 2019
jim-p
approved these changes
Oct 25, 2019
|
This branch is based on RELENG_2_4_4 for testing purposes. Shall I go ahead and rebase onto devel or master? |
|
I didn't catch that before, but yes, it must be against devel in this repo. Rebase might not be viable since it might attach all the commits to your PR, you'll probably need to make a new PR so it only contains your intended changes. |
DDNS-enabled zones are corrupted by any changes made to their DB files during `bind_sync()`, because it causes them to conflict with the .jnl files BIND maintains for DDNS updates. The corruption causes BIND to refuse to load the zone until the .jnl file is manually deleted. This patch causes pfSense to run rndc freeze/thaw before/after changing the zone files so that the zones are no longer considered corrupt by BIND. This patch quickly resolves the issue of pfSense causing BIND to refuse to load the zones, but it does have the effect that all DDNS changes to the zone are overwritten with pfSense's saved XML zone configuration every time `bind_sync()` runs. This overwriting behavior is still an improvement on the current situation in which the user must manually discard all dynamic changes by deleting the .jnl file, so this maintains the status quo behavior of dynamic zones and fixes a bug. A future improvement, but much more complex to implement, will be to persist the dynamic changes to the zone either by adding them to pfSense's custom zone records or temporarily caching them while bind_sync() rewrites the DB file and adding them back to the DB before thaw. Either approach will require parsing the DB file with PHP and diff-ing it with what pfSense expects it to be. Another possibility would be to add use of the [$INCLUDE directive](http://www.zytrax.com/books/dns/ch8/include.html) to pfSense's zone generation if a zone is dynamic so that BIND puts dynamic updates in one DB file and pfSense maintains a separate DB file that corresponds to the XML configuration.
Bump PORTREVISION escapeshellarg() for user input
overhacked
force-pushed
the
bind-freeze-zones
branch
from
d80ab4e
to
a367620
Compare
|
Successfully rebased to devel. |
|
It was manually merged. Thanks! |
netgate-git-updates
pushed a commit
that referenced
this pull request
Mar 27, 2021
Changes since 2.5.0: 2.6.2 * Fix UI when running with libhandy 1.x 2.6.1 * Fixed automatic layout 2.6.0 * Added support for opening HTML files (#641) * Consistent inner and outer margins (#255) * The automatic layout no longer supports 4 columns (58d5e50) * Fixed long words overflowing (#654) * Fixed custom themes not saved across sessions (#660) * Fixed shortcuts for key pads (#677) * Fixed opening non-UTF-8 zipped FB2 files (#629) * Fixed books not opening on GNOME 40 (#689)
netgate-git-updates
pushed a commit
that referenced
this pull request
Apr 7, 2021
Changes since 2.5.0: 2.6.2 * Fix UI when running with libhandy 1.x 2.6.1 * Fixed automatic layout 2.6.0 * Added support for opening HTML files (#641) * Consistent inner and outer margins (#255) * The automatic layout no longer supports 4 columns (58d5e50) * Fixed long words overflowing (#654) * Fixed custom themes not saved across sessions (#660) * Fixed shortcuts for key pads (#677) * Fixed opening non-UTF-8 zipped FB2 files (#629) * Fixed books not opening on GNOME 40 (#689)
netgate-git-updates
pushed a commit
that referenced
this pull request
Dec 11, 2023
Changes: - testport|bulk -b: New feature to fetch remote packages. See PACKAGE_FETCH options in poudriere.conf.sample. - bulk: IGNORED and BLACKLISTED ports are now trimmed before build. This reduces queue size and avoids building dependencies that are not needed. - jail -cu: Stop modifying /etc/login.conf in the jail. This is done at bulk jail startup now. - Add DISALLOW_NETWORKING, fixes #689 - image: Add zsnapshot imagetype. - bulk -a: Don't print ports in summary unless -v is used. - Show FLAVOR in more places. - ports -l: Fix error when no ports trees exist yet. - image: Add sleep, ls, and ping to miniroot. - ports -u: Add hook 'ports_update done' call. - Add status for saving workdir on failure. - Expand securelevel check to handle IMMUTABLE_BASE=schg and TMPFS_WRKDIR/TMPFS_LOCALBASE. - bulk/testport: Initial support for ports OVERLAYS - testport: Show log info on failure exit - Always export LC_COLLATE=C - image: Make iso images bootable in UEFI - ports: move away from portsnap as default - zfs rollback: Try harder to rollback snapshots. - bulk -n: Don't remove .building dir unless this ran made it - common.sh: use new URL for base system - jail: Fix git checkout during jail update to operate within SRC_BASE. - image: Add -w (swap size) and -b (swap position) - image: Support pre and post build scripts - image: remove unneeded vfs.root.mountfrom that might cause problems - image: Fix usb and usb+mfs - image: Add pkgbase support - image: Fix loader.efi name for arm and arm64 - image: Don't install pmbr and gptboot on !x86 - image: Enable zfs in rc.conf - testport: Support overlay - jail: Support PKG_REPO_SIGNING_KEY/KERNCONF for pkgbase - bulk|testport -i: Mount ports rw - MOVED: Support from overlays - bulk: Always build repo even if no packages build - distclean: Don't delete .hidden files. - bulk: Delete FORBIDDEN packages during incremental check. - pkgclean: Delete FORBIDDEN packages. - bulk: Delete corrupted packages like pkgclean does. - bulk -af: Delete unqueued packages like pkgclean. - bulk [-a] -f: Delete packages unknown/unqueued like pkgclean would. - bulk: Link to the build logs at PACKAGES/logs - Many test improvements - Many fixes for builtin helpers - jail -m http|ftp: freebsd-update(8) now uses -b rather than running inside of the jail. - clonefs: Fix cpignore handling to not race with other bulks. - bulk: Package notes, and build logs, now include ports top checkout git revision and port dir git revision. If PKG_REPRODUCIBLE is not set then a timestamp and poudriere's version is also added in. - bulk/testport -i: If POUDRIERE_INTERACTIVE_NO_INSTALL is set don't install the packages - Allow zstd in WRKDIR_ARCHIVE_FORMAT - jail: Automatically set XDEV as needed - Rename MUTABLE_BASE to clearer IMMUTABLE_BASE - bulk/testport -i: Many improvements and /etc/motd populated with env hints - bulk: Rebuild all packages if the pkg bootstrap is missing - Disallow /dev/bpf in the jails - bulk: Do not process dependencies of IGNORED ports. - CCACHE_DIR_NON_ROOT_SAFE: Chmod /root to 755 to allow non-root to access - CCACHE + BUILD_AS_NON_ROOT: Give detailed information on proper setup for this. See freebsd/poudriere@8c36dfe5cca92 - bulk: Rebuild packages with changed ABI - Show loginfo on error - image: Add support for zfs image types, including send streams - image: Run the post-build script before the build target - bulk: Opportunistically start builders as needed - bulk: New SIGINFO output. Now with tmpfs space usage, cpu%/mem%(rss) from ps. - bulk: Add a mechanishm to avoid building rust in tmpfs. See poudriere.conf.sample for TMPFS_BLACKLIST and TMPFS_BLACKLIST_TMPDIR. - Remove obsolete test for vfs.mnt_free_list_batch - jail: -l sort properly by version - options: Error on mutually-exclusive command flags - sh: make stat a builtin - Use setsid(1) for port build phases - bulk/testport: Store bulk output in logs/{bulk,testport}.log - Adding pushover support for notification - image: document hybridiso - remove jexecd - remove unused libnv - umount: unconditionnaly use MNT_NONBUSY - options: supports both portconfig and dialog4ports - Adding pushover support for notification - Add support for subpackages - Add option to force rebuilding repo and signing. - Add hosts entry for jail (ref or builder) (needed for newer jdk) - reduce the amount of i/o and the number of call to fsync - image: regenerate pwd database to account for overlays
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes Bug #8258
DDNS-enabled zones are corrupted by any changes made
to their DB files during
bind_sync(), because it causesthem to conflict with the .jnl files BIND maintains
for DDNS updates. The corruption causes BIND to refuse
to load the zone until the .jnl file is manually deleted.
This patch causes pfSense to run rndc freeze/thaw
before/after changing the zone files so that the
zones are no longer considered corrupt by BIND.
This patch quickly resolves the issue of pfSense causing
BIND to refuse to load the zones, but it does have the
effect that all DDNS changes to the zone are overwritten
with pfSense's saved XML zone configuration every time
bind_sync()runs.This overwriting behavior is still an improvement on the
current situation in which the user must manually discard
all dynamic changes by deleting the .jnl file, so this
maintains the status quo behavior of dynamic zones and
fixes a bug.
A future improvement, but much more complex to implement,
will be to persist the dynamic changes to the zone either
by adding them to pfSense's custom zone records or
temporarily caching them while bind_sync() rewrites the
DB file and adding them back to the DB before thaw. Either
approach will require parsing the DB file with PHP
and diff-ing it with what pfSense expects it to be. Another
possibility would be to add use of the
$INCLUDE directive
to pfSense's zone generation if a zone is dynamic so that
BIND puts dynamic updates in one DB file and pfSense maintains
a separate DB file that corresponds to the XML configuration.