Post-build test fail on BIND 9, old system

Post-build test fail on BIND 9, old system

Post by Jarosw Raf » Thu, 31 Jul 2008 03:10:36


Hello,
Due to recent exploits I have to upgrade to the newest version of BIND.
My DNS server is a quite old machine, running BIND 4 on Solaris 2.5.1. I
didn't upgrade because the OS lacks many libraries and syscalls and it's
hard to get newest versions of programs compiled under it. The machine
is about to be completely replaced by a new one running under Solaris 9,
but the migration is delaying due to various reasons and it can take
several months until it is finished. However, because of the recent
vulnerabilities, BIND has to be upgraded *now*.

And here I have some problem. I successfully compiled BIND 9.5.0-P1 on
my system, but when I run "make test" after the build, some of the tests
fail. The tests that fail are: cacheclean, forward, lwresd, rrsetorder
and upforwd (the same applies for BIND 9.4.2-P1). My question is: how
severe is this? Can something bad happen if I run the nameserver with
these tests failing or may I safely ignore this? I can send the detailed
test output if needed.

What else can I do to make BIND work all OK?
--
Regards,
Jaroslaw Rafa
XXXX@XXXXX.COM
 
 
 

Post-build test fail on BIND 9, old system

Post by Bruce Esqu » Thu, 31 Jul 2008 23:24:17


Sheese, trying to get anything to run under Solaris 2.5.1 is going to be an
uphill battle.

Is there any way to just try to run what was built and ignore the tests?

Reason I'm saying that, not sure why but there is a couple spots in the test
suite for BIND 9.5.0-P1 that has "grep -q" hardcoded which causes several
failures under Solaris. As far as I can tell, -q (for quiet) is only
supported on the gnu grep (ggrep).

Besides causing some tests to get bypassed, I think it does eventually fail
altogether because of something missing from the grep output (maybe wrong
about that).

So either try to build the gnu grep and replace the grep binary on your box
or search around the bin/tests directories and edit the -q off the grep
calls.

One other note for those building on Solaris 10 and have zones configured
and running, there is another bug or oversight in the test suite when you
bring up the interfaces for the phony 10.53.0 addresses, all that works but
when you clean up and bring them down using the ifconfig.sh script, you'll
lose all the 127.0.0.1 localhosts on the interfaces at the same time. Is a
minor issue, can easily be fixed without rebooting but had me stumped for a
bit when some things running just stopped working.

-bruce
XXXX@XXXXX.COM

 
 
 

Post-build test fail on BIND 9, old system

Post by Jaroslaw R » Fri, 01 Aug 2008 04:27:35

Bruce Esquibel napisal(a):

I have noticed that at first (grep complains about unknown "-q" option in
the test output) and fixed that. "/usr/xpg4/bin/grep" should be used instead
of simply "grep", that version does accept the "-q" parameter.
The failing tests I have mentioned have nothing to do with this issue.

However, I am in the process of investigating them in detail, and the first
test (cacheclean) is probably failing because the "dig" program included
with BIND is for some reason unable to fetch data from the nameserver (a
message "/dysk4/soft/bind-9.5.0-P1/bin/dig/dig: isc_socket_bind: socket
already bound" appears and the file expected to contain output from dig is
empty). Don't know about the others yet...
Regards,
Jaroslaw Rafa
XXXX@XXXXX.COM
--
Zapraszam na moja nowa strone: http://www.yqcomputer.com/ ~raj/
 
 
 

Post-build test fail on BIND 9, old system

Post by Bruce Esqu » Fri, 01 Aug 2008 23:25:08


I think Solaris 2.5.1 didn't support multiple addresses on an interface
(again could be wrong) so the "already bound" message makes sense.

I'm pretty sure you are going to have to shut down the named that is
running, if that is the case. You might even have to go to an extreme and
get the box into single user mode to run the tests.

Sorry if this is going to mislead you, I haven't seen a 2.5.1 box in
probably 10 years, we took posession of them when another isp in the area
went out of business but only kept them running long enough to migrate
the users. Pretty sure Solaris 8 was out then and it was a night and day
difference "getting stuff to work" like this on 8 over the older versions.

But I'm confident with the way the test suite works and how the 2.5.1
handles ip addresses on the interfaces, there is an incompatabily there.

Hope I'm wrong but like I said earlier, you have a pretty good uphill battle
on your hands.

-bruce
XXXX@XXXXX.COM
 
 
 

Post-build test fail on BIND 9, old system

Post by Jaroslaw R » Sat, 02 Aug 2008 01:51:29

Bruce Esquibel napisal(a):

It's not that problem, the "already bound" message usually indicates that a
program is trying to listen on a port that is already being used. It has
nothing to do with multiple addresses on an interface, which *are* supported
under 2.5.1 (if they weren't, it would be impossible to run the test suite
in the first place).

But actually, there seems to be some big incompatibility between my system
and the way the new BIND handles network connections and sockets. Following
your advice, I tried to run the executable that was built. named starts,
loads the master zones, responds to queries that refer to these zones, but
when there is a query for an external address, where the nameserver has to
fetch data from outside, the response to the client is SERVFAIL. Looks like
the server is unable to get data from other servers. It's a big problem that
makes the server completely unusable. Perhaps the other face of the same
problem is that although the server listens on the control port 935, I
cannot communicate with it via rndc - rndc says that it connects to
127.0.0.1#935 and sends the query, but gets no response and times out.

I also tried to use the ready binary package of bind-9.5.0p1, which is
available on www.sunfreeware.com. It has a lot of dependencies, so I had to
download and install many libraries, but after finishing this tedious task
the nameserver from the package behaves exactly like mine - SERVFAIL on
non-authoritative queries, no communication via rndc.

I give up. It seems that I am unable to run the recent BIND version on this
machine, so I'll fall back to using a forwarder (more in a separate topic).
Regards,
Jaroslaw Rafa
XXXX@XXXXX.COM
--
Zapraszam na moja nowa strone: http://www.yqcomputer.com/ ~raj/
 
 
 

Post-build test fail on BIND 9, old system

Post by Jaroslaw R » Sat, 02 Aug 2008 04:36:10

Bruce Esquibel napisal(a):

I even added: allow-recursion { any; }; allow-query { any; }; allow-query-cache { any; };
and it still didn't work. When the query is not allowed named writes it to
the log, so it's easy to identify (without these "allow" statements I got
lot of "query denied" lines in the log). With the "allow" statements
present, there is nothing in the log and it sinply doesn't work. I think
it's a code problem.
Anyway, I don't want to fight with this anymore. I already configured a
forwarder, so the problem is solved for now, until the machine is replaced.
Regards,
Jaroslaw Rafa
XXXX@XXXXX.COM
--
Zapraszam na moja nowa strone: http://www.yqcomputer.com/ ~raj/