V 9.18.1 not listen on port 853 after rndc reload

Mon Mar 21 20:17:50 UTC 2022

Dear All, 

many thanks pointing me into the right direction. 

// Hans 

— 

> On 21.03.2022, at 17:58, Ondřej Surý <ondrej at isc.org> wrote:
> 
> This is already being tracked as https://gitlab.isc.org/isc-projects/bind9/-/issues/3122
> 
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
> 
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> 
>> On 21. 3. 2022, at 17:12, MAYER Hans <Hans.Mayer at iiasa.ac.at> wrote:
>> 
>> 
>> Hi Borja, 
>> 
>> Many thanks for this hint. I tried to allow with 
>> setcap 'CAP_NET_BIND_SERVICE=+eip'  /usr/local/sbin/named
>> but it didn’t help. 
>> 
>> On other hand there is no issue on port 53 and 953. Why should it be just on port 853 ? 
>> 
>> Kind regards 
>> Hans 
>> 
>> 
>> 
>>> On 21.03.2022, at 15:26, Borja Marcos <borjam at sarenet.es> wrote:
>>> 
>>> 
>>> 
>>>> On 21 Mar 2022, at 14:51, MAYER Hans <Hans.Mayer at iiasa.ac.at> wrote:
>>>> 
>>>> 
>>>> Looking at the log I see: 
>>>> network: error: creating TLS socket: permission denied
>>>> 
>>>> Why doesn’t named have the permissions after a „rndc reload“ but it has the permissions after a start ? And why on one server but not on another ? 
>>>> In both cases the daemon is running as user „bind“ with UID below 128 but not as root. 
>>> 
>>> Because it usually starts as root and it demotes itself to “bind” whenever possible.
>>> 
>>> Maybe there is a mechanism in Linux to grant permission to a certain UID to bind() a socket to certain privileged 
>>> port number, as it is used for NTP on FreeBSD?
>>> 
>>> 
>>> 
>>> 
>>> Borja.
>>> 
>> 
>> 
>> 
>> 
>> 
>>> On 21.03.2022, at 14:51, MAYER Hans <Hans.Mayer at iiasa.ac.at> wrote:
>>> 
>>> 
>>> 
>>> Dear All, 
>>> 
>>> now BIND 9.18 is supporting DoT directly I tried to go away from a solution with stunnel4 and therefore I compiled 9.18.1 and modified named.conf
>>> So far everything is working fine. All the tests with dig , openssl and lsof is showing it’s working. 
>>> The problem: when I run a „rndc reload“ the named process is not listen on 853/tcp anymore. All tests with TLS fail. And this on IPv4 as well on IPv6.
>>> The rest of BIND is working well. Still listening on port 53 on UDP and TCP 
>>> When I restart the service so that named stops and a new process is started and running then DoT is working again. 
>>> I run this on Debian 10 buster. 
>>> The interesting story is I run the same version 9.18.1 on a different Debian 10 buster server. On this server the process „named" survives a „rndc reload“  on port 853 
>>> 
>>> Looking at the log I see: 
>>> network: error: creating TLS socket: permission denied
>>> 
>>> Why doesn’t named have the permissions after a „rndc reload“ but it has the permissions after a start ? And why on one server but not on another ? 
>>> In both cases the daemon is running as user „bind“ with UID below 128 but not as root. 
>>> 
>>> Any ideas where to look ? 
>>> 
>>> Kind regards 
>>> Hans 
>>> 
>>> — 
>>> 
>>> 
>>> maybe the important part of the config
>>> 
>>>       listen-on {
>>>                  my.ipv4.hiding.here  ;
>>>                  127.0.0.1 ;
>>>       };
>>>       listen-on port 853 tls iiasaatls { any; }; 
>>>       listen-on-v6 { any ; } ;
>>>       listen-on-v6 port 853 tls iiasaatls { any; }; 
>>> 
>>> 
>> 
>> 
>> -- 
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 