Report information
The Basics
Id:
46202
Status:
open
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Marcello Zin <majinzin88@gmail.com>
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
(no value)
Severity:
(no value)
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Dates
Created:Thu, 05 Oct 2017 08:23:43 -0400
Updated:Tue, 17 Oct 2017 14:25:18 -0400
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Thu, 05 Oct 2017 08:23:43 -0400 Marcello Zin <majinzin88@gmail.com> - Ticket created
From: "Marcello Zin" <majinzin88@gmail.com>
To: bind-bugs@isc.org
Date: Thu, 5 Oct 2017 12:23:34 +0000
Subject: BIND 9.9.5 - loopback address issue on "listen-on" parameter

Bug Report from www.isc.org: Name: Marcello Zin Email: majinzin88@gmail.com Software Version: BIND 9.9.5 OS: Debian 7 Subject:loopback address issue on "listen-on" parameter Bug Detail =========== If a use a loopback ip address different than 127.0.0.1 (or ::1 on IPv6) on "listen-on" parameters, BIND doesn't create a LISTEN socket on that ip. (i.e. 127.0.0.2) I found a workaround adding 127.0.0.2 (ip addr add 127.0.0.2 dev lo) but, of course, it shouldn't be necessary thanks to AnyIP kernel feature. --- This email was received through isc.org Bug Submission Form
  Thu, 05 Oct 2017 08:33:55 -0400 Mark Andrews <marka@isc.org> - Correspondence added
Date: Thu, 05 Oct 2017 23:32:28 +1100
From: "Mark Andrews" <marka@isc.org>
Subject: Re: [ISC-Bugs #46202] BIND 9.9.5 - loopback address issue on "listen-on" parameter
To: bind9-confidential@isc.org

try listen-on-v6 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Thu, 05 Oct 2017 08:33:56 -0400 The RT System itself - Status changed from 'new' to 'open'
  Thu, 05 Oct 2017 08:53:59 -0400 Marcello Zin <majinzin88@gmail.com> - Correspondence added
To: bind9-confidential@isc.org
Date: Thu, 5 Oct 2017 14:53:53 +0200
Subject: Re: [ISC-Bugs #46202] BIND 9.9.5 - loopback address issue on "listen-on" parameter
From: "Marcello Zin" <majinzin88@gmail.com>


It doesn't work.
I tried:
listen-on-v6 port 53 { ::3; };
listen-on port 53 { 127.0.0.3; };

and all combinations (also disabling ipv4 or ipv6).

It works only if I explicitly add that ip address.

2017-10-05 14:33 GMT+02:00 Mark Andrews via RT <bind9-confidential@isc.org>:

try listen-on-v6

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org



  Thu, 05 Oct 2017 14:36:47 -0400 Mark Andrews <marka@isc.org> - Correspondence added
To: bind9-confidential@isc.org
Date: Fri, 06 Oct 2017 05:36:39 +1100
From: "Mark Andrews" <marka@isc.org>
Subject: Re: [ISC-Bugs #46202] BIND 9.9.5 - loopback address issue on "listen-on" parameter

Remember listen-on and listen-on-v6 are ACLs. Take the addresses on the system and apply check them against the ACL and if they match open a socket. listen-on { any; }; opens two sockets for every IPv4 interface (TCP and UDP) so that UDP replies get the correct source address on multi-homed machines. TCP automatically does this. For IPv6 the Advanced Sockets API lets you specify the source address of UDP packets and to get the destination address of received packets so its possible to get the reply source addresses correct with a single socket for listen-on-v6 { any; }; if the OS supports it. For AnyIP the server would have to take the ACL list, workout which prefixes are actually complete addresses, then apply a 127/8 filter to them and attempt to open them only on Linux boxes making sure not to match any addresses already configured by matching against the existing interfaces. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
  Thu, 05 Oct 2017 17:08:49 -0400 Marcello Zin <majinzin88@gmail.com> - Correspondence added
Date: Thu, 5 Oct 2017 23:08:41 +0200
To: bind9-confidential@isc.org
Subject: Re: [ISC-Bugs #46202] BIND 9.9.5 - loopback address issue on "listen-on" parameter
From: "Marcello Zin" <majinzin88@gmail.com>

Thanks for replay. I know "any" parameter but I would like to open a socket only on a fixed IP address. I have some processes which open a socket on localhost address different than .1. I'm my opinion it should work as you said. Of course, the netmask could be different than 127/8 because you can add a different subnet on lo interface. Let me know if that behavior could be implemented on a next release. Cheers > Il giorno 05 ott 2017, alle ore 20:36, Mark Andrews via RT <bind9-confidential@isc.org> ha scritto: > > > Remember listen-on and listen-on-v6 are ACLs. Take the addresses > on the system and apply check them against the ACL and if they match > open a socket. > > listen-on { any; }; opens two sockets for every IPv4 interface (TCP > and UDP) so that UDP replies get the correct source address on > multi-homed machines. TCP automatically does this. > > For IPv6 the Advanced Sockets API lets you specify the source address > of UDP packets and to get the destination address of received packets > so its possible to get the reply source addresses correct with a > single socket for listen-on-v6 { any; }; if the OS supports it. > > For AnyIP the server would have to take the ACL list, workout which > prefixes are actually complete addresses, then apply a 127/8 filter > to them and attempt to open them only on Linux boxes making sure not > to match any addresses already configured by matching against the > existing interfaces. > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > >
Tue, 17 Oct 2017 14:25:18 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public