BIND 10 #1424: query_acl rejecting even though matches

BIND 10 Development do-not-reply at isc.org
Fri Dec 23 08:39:16 UTC 2011 

#1424: query_acl rejecting even though matches
-------------------------------------+-------------------------------------
                   Reporter:  jreed  |                 Owner:
                       Type:         |                Status:  new
  defect                             |             Milestone:
                   Priority:         |  Sprint-20120110
  critical                           |            Resolution:
                  Component:         |             Sensitive:  0
  resolver                           |           Sub-Project:  DNS
                   Keywords:         |  Estimated Difficulty:  4
            Defect Severity:  N/A    |           Total Hours:  0
Feature Depending on Ticket:  none   |
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------

Comment (by jinmei):

 trac1424 is ready for review.

 The problem is (in my understanding) that when resolver first starts
 it tries to listen on a privileged port (53).  But if the run time
 user doesn't have the privilege it will fail, and the configuration
 handler will simply skip installing all other default config
 parameters (so the problem shouldn't be specific to the ACL).

 The fix in this branch is to change the behavior so that on startup
 other parameters will be installed even if listen_on fails.

 I actually don't like this hack, and since I expect the introduction
 of the socket creator will change the scenario a bit and the
 configuration handler will need to be refactored to a cleaner
 design/implementation anyway (the current monolithic implementation
 won't scale and we can easily face a similar situation as we add more
 config parameters), so one option is to defer the fix until that
 point.

 I really thought about that option, but the symptom would be quite
 confusing and (although ugly) the fix itself is not a big change, I
 decided to provide a patch anyway.  I'm okay with either approach:
 applying the fix for now or completely defer it.

 If we fix it now, this is the proposed changelog entry:
 {{{
 361.?   [bug]           jinmei
         b10-resolver ignored default configuration parameters if listen_on
         failed (this can easily happen especially for a test environment
         where the run time user doesn't have root privilege), and even if
         listen_on was updated later the resolver wouldn't work correctly
         unless it's fully restarted (for example, all queries would be
         rejected due to an empty ACL).
         (Trac #1424, git TBD)
 }}}

-- 
Ticket URL: <http://bind10.isc.org/ticket/1424#comment:7>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list