From 658d937c7c89eb49347afc3f8b2c1932b0de90f2 Mon Sep 17 00:00:00 2001
From: Jürn Brodersen <brodersen@univention.de>
Date: Mon, 29 Mar 2021 13:06:43 +0200
Subject: Bug #00000: always allow localhost to control the bind proxy

Ensure named.conf.proxy is valid even if 'dns/master/address' is not
set. The control socket is used by the systemd service to control the
named daemon, meaning localhost always needs access.

diff --git a/services/univention-bind/conffiles/etc/bind/named.conf.proxy b/services/univention-bind/conffiles/etc/bind/named.conf.proxy
index 0fd3c7fb97..96c1a720e6 100644
--- a/services/univention-bind/conffiles/etc/bind/named.conf.proxy
+++ b/services/univention-bind/conffiles/etc/bind/named.conf.proxy
@@ -1,9 +1,11 @@
 @%@UCRWARNING=# @%@
 
-
 controls{
         inet 127.0.0.1
-        allow { @%@dns/master/address@%@; };
+@!@
+allowed_controllers = {configRegistry.get('dns/master/address', '127.0.0.1'), '127.0.0.1'}
+print('\t\tallow {{ {}; }};'.format('; '.join(sorted(allowed_controllers))))
+@!@
 };
 options {
     directory "/var/cache/bind";
diff --git a/services/univention-bind/debian/changelog b/services/univention-bind/debian/changelog
index b099447a02..883be288f0 100644
--- a/services/univention-bind/debian/changelog
+++ b/services/univention-bind/debian/changelog
@@ -1,3 +1,9 @@
+univention-bind (14.0.0-15) unstable; urgency=medium
+
+  * fix wait time during setup
+
+ -- Jürn Brodersen <brodersen@univention.de>  Tue, 30 Mar 2021 10:57:38 +0200
+
 univention-bind (14.0.0-14) unstable; urgency=medium
 
   * Bug #52885: Fix broken bind during package configuration phase
diff --git a/services/univention-bind/debian/univention-bind.postinst b/services/univention-bind/debian/univention-bind.postinst
index fad302f16e..2e128e2d5b 100644
--- a/services/univention-bind/debian/univention-bind.postinst
+++ b/services/univention-bind/debian/univention-bind.postinst
@@ -32,6 +32,11 @@
 
 . /usr/share/univention-lib/all.sh
 
+if [ "$1" = "configure" ]; then
+	# touch config files just in case the listener module bind.py has not created them yet
+	touch /etc/bind/univention.conf /etc/bind/univention.conf.proxy
+fi
+
 # Remove service diversion before any service is restarted through debhelper
 if [ "$1" = "configure" ] && dpkg --compare-versions "$2" lt 14.0.0-7; then
 	dpkg-divert --quiet \
@@ -106,8 +111,6 @@ if [ "$1" = "configure" ]; then
 		systemctl --system daemon-reload
 		service bind9 start
 	}
-	# touch config files just in case the listener module bind.py has not created them yet
-	touch /etc/bind/univention.conf /etc/bind/univention.conf.proxy
 	if [ -n "$2" ]; then
 		systemctl try-restart bind9 || service bind9 restart
 	else
diff --git a/services/univention-bind/debian/univention-bind.univention-config-registry b/services/univention-bind/debian/univention-bind.univention-config-registry
index e9e3cffc42..03dcc08d51 100644
--- a/services/univention-bind/debian/univention-bind.univention-config-registry
+++ b/services/univention-bind/debian/univention-bind.univention-config-registry
@@ -17,6 +17,7 @@ Variables: dns/allow/query/cache
 Variables: dns/allow/transfer
 Variables: dns/fakeroot
 Variables: dns/ipv6
+Variables: dns/master/address
 
 Type: file
 File: etc/bind/named.conf.samba4