init script doesn't handle rndc error properly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Fix Released
|
Undecided
|
LaMont Jones |
Bug Description
1) Ubuntu 9.04
2) 1:9.5.1.dfsg.P2-1
3) I have disabled the remote admin capability on my bind9 server using "controls {};"
I expected that I would still be able to both stop and to restart the bind9 server using the /etc/init.d/bind9 script. Furthermore I expected that if the init script was unable to do either of these things it would tell me that it had failed.
4) When I executed "/etc/init.d/bind9 stop" the following happened:
* Stopping domain name service... bind9
rndc: connect failed: 127.0.0.1#953: connection refused
As you can see the init script printed "[ OK ]", which I interpreted to mean that it had successfully stopped bind9. Despite printing "[ OK ]" the bind9 server hadn't actually been stopped: `ps aux|grep named` confirmed this.
Ideally I would prefer if you fixed this bug by resorting to an alternative method of killing bind9, e.g. `kill $PID` if the rndc program fails. If you don't want to do that, then could you at least fix the init script so that it doesn't mistakenly print "[ OK ]".
(As an aside I discovered this bug when I executed "/etc/init.d/bind9 restart" and the following happened:
* Stopping domain name service... bind9
rndc: connect failed: 127.0.0.1#953: connection refused
* Starting domain name service... bind9 [ OK ]
This led me to believe that my configuration change to bind (enabling DNSSEC) had succeeded (because I saw the two OKs), and therefore I thought that my DNS lookups were now being protected by DNSSEC DLV validation, when they in fact weren't. I therefore consider this issue to be on the borderline of being a security vulnerability, because it led me to be believe that I had enabled a security feature when I had in fact not done so.)
Changed in bind9 (Ubuntu): | |
assignee: | nobody → LaMont Jones (lamont) |
status: | New → Fix Committed |
This bug was fixed in the package bind9 - 1:9.6.1.dfsg-1
---------------
bind9 (1:9.6.1.dfsg-1) unstable; urgency=low
[Internet Software Consortium, Inc]
* 9.6.1
bind9 (1:9.6.0.dfsg.P1-3) unstable; urgency=low
[Martin Zobel-Helas]
* GEO-IP Patch from //git.kernel. org/pub/ scm/network/ bind/bind- geodns. git. Closes: #395191
git:
[LaMont Jones]
* Remove /var/lib/bind on purge. Closes: #527613
* Build-Depend: libdb-dev (>4.6). Closes: #527877, #528772
* init.d: detect rndc errors better. LP: #380962
* init.d: clean up exit status. Closes: #523454
* Enable pkcs11 support, and then Revert - causes assertion failures
c.f.: #516552
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 23 Jun 2009 10:36:38 +0100