plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

os-bind - BIND 9.20 incorrectly processing TCP retransmission packets for AXFR Zone Transfers

Open Nick2253 opened this issue 11 months ago • 1 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [X] The title contains the plugin to which this issue belongs

Describe the bug BIND in os-bind 1.33_1 is incorrectly processing (or failing to process at all) TCP retransmission packets for AXFR Zone Transfers.

This was previously working with os-bind 1.32_1, with the bind918 package.

To Reproduce Steps to reproduce the behavior:

  1. Attempt an AXFR zone transfer using named (create a secondary zone) or one of the BIND tools (manually initiate a transfer using dig)
  2. Receive an error when one of the DNS packets is too large, and is being truncated.

The simplest example: dig @<domain controller> <zone> axfr

Expected behavior The zone is transferred correctly.

In particular, I expect named or dig (or whichever tool) to properly recognize the truncated packet, and await the TCP retransmission of that packet, instead of immediately throwing an error

I've confirmed this isn't an issue with the primary server, as the AXFR transfer works correctly with the built-in drill tool.

Relevant log files For the purposes of these log files, I've replaced the domain controller with IP address 1,2.3.4, and the zone with example.com

Running dig:

# dig @1.2.3.4 example.com axfr

; <<>> DiG 9.20.4 <<>> @1.2.3.4 example.com axfr
; (1 server found)
;; global options: +cmd
...
<redacted list of records received before error>
...
;; Got bad packet: bad label type
95 bytes

Additional Context I'm not able to revert os-bind due to a "missing dependency" error, and the inability to manually reconcile that by manually installing bind918 because of the conflict between it and bind920.

root@brick:~ # opnsense-revert -r 24.7.7 os-bind
Fetching os-bind.pkg: .... done
Verifying signature with trusted certificate pkg.opnsense.org.20240611... done
os-bind-1.33_1: already unlocked
Installing os-bind-1.32_1...
package os-bind is already installed, forced install
pkg-static: Missing dependency 'bind918'

Failed to install the following 1 package(s): /tmp/opnsense-revert/32810/os-bind.pkg

Environment OPNsense 24.7.12_2 (amd64)

Nick2253 avatar Jan 26 '25 19:01 Nick2253

To add some more context to this. I revised this bug report, and took it directly to BIND. The issue appears to be related to EDNS requests from BIND to a Windows DNS Server, and the Windows DNS Server garbling the response. Disable EDNS fixes the problem. However, to add this directive, you have to directly modify the config file, since the os-bind plugin does not support either the server directive or custom directives in general.

Nick2253 avatar Jun 25 '25 23:06 Nick2253

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Jul 25 '25 17:07 OPNsense-bot