nsd users - Jun 2020 - NSD still shows permission errors on Debian 10 Buster

Hi Anand,

On 28/05/2020 12:26, Anand Buddhdev via nsd-users wrote:
> On 27/05/2020 17:52, Wouter Wijngaards via nsd-users wrote:
> 
> Hi Wouter,
> 
>> I tried to fix the contrib nsd.service by adding Simon's suggestion
to
>> it, if that is wrong let me know:
>>
https://github.com/NLnetLabs/nsd/commit/922d5a27f8b291b1157530cfde49707c134cf486
>>
> 
> I have a suggestion. Maybe just delete this nsd.service file. To be
> honest, it's not very useful because it has a random mix of directives
> that don't help, or actually interfere with running NSD properly. As an
Thank you for the suggestion.  Removed it.  Complicated and not useful
is not what I want for a contrib file, instead I would want files in
contrib to be helpful and add to make use of NSD in different
environments easier.

Yes the removal of IPv6 also seems counterproductive to me.

Best regards, Wouter
> example, it has this directive:
> 
> RestrictAddressFamilies=AF_INET AF_UNIX
> 
> But what about AF_INET6 then? The above will prevent NSD from being able
> to bind to an IPv6 socket.
> 
> I don't know where this file came from, but it's not good. If
it's in
> there, people will use it. If you really want to provide a systemd unit
> file, then provide a minimal one that will work on most systems. A
> packager for a particular distro can add things to it if he likes.
> Additionally, if a user wants to tighten things up, they can always
> create an overlay for this unit file on their systems. Adding to a
> systemd unit is easier than removing existing directives in the base
> unit file.
> 
> Regards,
> Anand
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users

On Thu, 28 May 2020, Wouter Wijngaards via nsd-users wrote:
>> I have a suggestion. Maybe just delete this nsd.service file.
> Thank you for the suggestion.  Removed it.  Complicated and not useful
> is not what I want for a contrib file, instead I would want files in
> contrib to be helpful and add to make use of NSD in different
> environments easier.
It is also completely different from the one used in fedora or epel/centos.
> Yes the removal of IPv6 also seems counterproductive to me.
This all came in via 70346a384 by you as part of the --enable-systemd
patch. It also includes the "socket activation" stuff, eg
contrib/nsd.socket that also makes absolutely no sense for a DNS server
daemon that is expected to always run anyway. And their default is
to activate it via queries received on 127.0.0.1.

Note for fedora/centos, I do not compile with --enable-systemd because
of these reasons, even though I would like to enable the systemd
watchdog part that is part of that feature. Perhaps the socket
activation and software watchdog parts can be split into two different
configure options? (--enable-sd-notify and --enable-sd-socket ?)

Paul

Hi Paul,

On 28/05/2020 20:55, Paul Wouters wrote:
> On Thu, 28 May 2020, Wouter Wijngaards via nsd-users wrote:
> 
>>> I have a suggestion. Maybe just delete this nsd.service file.
> 
>> Thank you for the suggestion.? Removed it.? Complicated and not useful
>> is not what I want for a contrib file, instead I would want files in
>> contrib to be helpful and add to make use of NSD in different
>> environments easier.
> 
> It is also completely different from the one used in fedora or epel/centos.
> 
>> Yes the removal of IPv6 also seems counterproductive to me.
> 
> This all came in via 70346a384 by you as part of the --enable-systemd
> patch. It also includes the "socket activation" stuff, eg
Sorry about that Paul, I include stuff that people ask me, and I am no
expert on systemd, either.
> contrib/nsd.socket that also makes absolutely no sense for a DNS server
> daemon that is expected to always run anyway. And their default is
> to activate it via queries received on 127.0.0.1.
The code for that has since been removed from NSD in its entirety, in
4.3.0.  The sd socket code is removed.  Code for sd notify is still there.
> 
> Note for fedora/centos, I do not compile with --enable-systemd because
> of these reasons, even though I would like to enable the systemd
> watchdog part that is part of that feature. Perhaps the socket
> activation and software watchdog parts can be split into two different
> configure options? (--enable-sd-notify and --enable-sd-socket ?)
The --enable-sd-socket option is not needed because code has been
removed.  The --enable-systemd option enables the sd-notify feature.

Best regards, Wouter
> 
> Paul