Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create-rndc.key fails with bind9 9.13.0+ #189

Closed
karelyatin opened this issue May 27, 2021 · 4 comments · Fixed by #190
Closed

create-rndc.key fails with bind9 9.13.0+ #189

karelyatin opened this issue May 27, 2021 · 4 comments · Fixed by #190

Comments

@karelyatin
Copy link
Contributor

With isc-projects/bind9@3a4f820 -r option is removed in confgen command, so now if -r /dev/urandom is passed to the command then it fails due to fatal("The -r option has been deprecated.").

I see it's used at two place in puppet-dns code:-

Also looks this parameter is not mandatory in earlier bind versions and confgen works without it too, but may be it was passed for some use case, Anyway it would be good to get it fixed for bind-9.13.0+.

Faced this while testing with bind-9.16.11 on a CentOS9 machine.
@ekohl
Copy link
Member

ekohl commented May 27, 2021

I'm trying to figure out the behavior if the parameter is not specified on older versions but it's not entirely clear to me. It looks like it may default to /dev/random but I can't quite find it out. It also looks like it may not matter on modern kernels but most distros don't include kernel 5.6. Those that do are more likely to also ship a bind that doesn't accept the parameter.

Do you happen to know if it defaults to /dev/random or /dev/urandom if not passed?

For what it's worth, this was already present in the first commit (1779432) which copied zleslie's dns module. Back in 2012 using /dev/random could be very slow and /dev/urandom was much better for most use cases.

@karelyatin
Copy link
Contributor Author

@ekohl Before the commit that removed -r option, i see https://github.com/isc-projects/bind9/blob/74dd289a1c24e14d602cc3502b78247364565b32/lib/dns/openssl_link.c#L371-L401 is used to get randomdata if -r randomfile is not passed, so it looks neither /dev/random nor /dev/urandom binaries used by default. With With isc-projects/bind9@3a4f820 it removed -r option and added some more generator function to be used based on availability.

@ekohl
Copy link
Member

ekohl commented May 31, 2021

That was also roughly my impression from trying to read the C code (which I'm not experienced with). Your reading is a bit better than mine. To me it looks like we can trust openssl to be present and recent enough on supported platforms to trust it. I'd be ok with dropping the parameter unconditionally.

Would you be willing to write a patch?

@karelyatin
Copy link
Contributor Author

That was also roughly my impression from trying to read the C code (which I'm not experienced with). Your reading is a bit better than mine. To me it looks like we can trust openssl to be present and recent enough on supported platforms to trust it. I'd be ok with dropping the parameter unconditionally.

Would you be willing to write a patch?

Sure will send a PR in some time

karelyatin added a commit to karelyatin/puppet-dns that referenced this issue May 31, 2021
@karelyatin
Drop usage of -r from rndc-confgen
9317147 
With bind-9.13.0+[1], -r option is deprecated and raises
error if passed. With earlier versions of bind also -r
option is optional and in it's absense there are default
function which provides random bytes. So let's drop the
-r option.

Fixes theforemanGH-189

[1] isc-projects/bind9@3a4f820
@karelyatin karelyatin mentioned this issue May 31, 2021
Merged
@ekohl ekohl closed this as completed in #190 Jun 2, 2021
ekohl pushed a commit that referenced this issue Jun 2, 2021
@karelyatin @ekohl
Drop usage of -r from rndc-confgen
70f5b28 
With bind-9.13.0+[1], -r option is deprecated and raises
error if passed. With earlier versions of bind also -r
option is optional and in it's absense there are default
function which provides random bytes. So let's drop the
-r option.

Fixes GH-189

[1] isc-projects/bind9@3a4f820
penguinspiral added a commit to penguinspiral/puppet-control-repo that referenced this issue Aug 26, 2021
@penguinspiral
[rspec] Remove deprecated rndc-confgen flag
78c3791 
'theforeman-dns' module no longer appends the '-r /dev/urandom' string
to the BIND9 utility `/usr/sbin/rndc-confgen` as per Github PR:
931714772f1ee3648f94a266d43ace2299313eb4 (included in release 9.0.0).

This issue was initially surfaced to the 'theforeman/puppet-dns' Github
repository back in May 26 2021:
theforeman/puppet-dns#189 when it was
discovered that the ISC BIND 9 project removed the flag from the
'rndc-confgen' binary:
isc-projects/bind9@3a4f820

Verification:

* `pdk test unit --tests ./spec/classes/dns_spec.rb`

Result:

* Finished in 20.66 seconds (files took 1.03 seconds to load)
176 examples, 0 failures
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Drop usage of -r from rndc-confgen karelyatin/puppet-dns
2 participants
@ekohl @karelyatin