named forwarding

[J.T. D]

I'm playing around with 25.01u4, but still use 24.01u13 operationally, so no harm/no foul.

It appears named was updated in 25.01 and now security is a bit tightened with upstream forwarding.

In 24.01, I could do OS level name resolution no problem with no alteration of conf files.

OOB on 25.01, this didn't work.  Eventually I tracked it down to an option I had to manually add to named.conf for dnssec validation.  My local DNS (on router) doesn't offer dnssec resolution, so named on sipxcom was rejecting the forwarding query: I couldn't run 'dnf update'...I'd receive an error about unable to resolve the names.  The local DNS is added as a Forwarder in sipxcom.

After a brief moment of research and trial and error, I added 'dnssec-validation no;' to named.conf, reloaded the service, and voila, I could resolve again.  (My router firmware doesn't support it...yet...otherwise I'd fix the root cause instead of apply this band-aid.)

My questions are:  I see I'll have to manually update named.conf until my router can support dnssec.  How often (or what action) will named.conf be rebuilt?  Is it just sending server profiles? Or are there other activities that might trigger a rebuild?

I do see the named.conf template in the code (named.erb).  I don't feel like anything needs to be added to the template (as this would promote less security by bypassing dnssec,) but I'd like to be aware of when the conf file gets updated so I can modify it.

Thanks!

[Support]

Hello,

The problem you are encountering is fairly typical for some of the strengthened security requirements we have seen when updating everything to more modern Linux and library platforms.

The CF engine rules that govern named config file updates are found under /usr/share/sipxecs/cfinputs/plugin.d/sipxdns.cf.

In addition sipxecs/src/sipXconfig/neoconf/src/org/sipfoundry/sipxconfig/dns/DnsManagerImpl.java contains the update logic when changes to the DNS config UI is applied (note we fixed a bug here that they didn’t always take effect in 25.01 u3)

You may want to consider running DNS as an unmanaged service until your router has been upgraded, as the sipX DNS update logic is nontrivial. 

Thank you.

--
You received this message because you are subscribed to the Google Groups "sipxcom-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sipxcom-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/sipxcom-users/65745f28-dff6-45ad-bb55-334622803965n%40googlegroups.com.