| Summary: | DNS records served through recursive bind which have a CNAME pointing to a DNAME result in a servfail | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Dan Bradley <danb> |
| Component: | bind | Assignee: | Petr Menšík <pemensik> |
| Status: | CLOSED UPSTREAM | QA Contact: | qe-baseos-daemons |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.11 | CC: | thozza |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-01 09:44:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.
If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.
For information on how to contact the Red Hat production support team, please visit:
https://www.redhat.com/support/process/production/#howto
Also RHEL-5 is already in production phase 3, which means that only Critical impact Security Advisories and selected Urgent Priority Bug Fix Advisories may be addressed. Please see https://access.redhat.com/support/policy/updates/errata#Production_3_Phase for further information.
This seems to be in the upstream bind implementation from the ISC. I'll get a bug filed up there and you can remove this one. Thank you for the information. Closing as UPSTERAM |
Description of problem: If you have a DNS record which is a CNAME pointing to a DNAME record, DNS resolution attempts through Redhat bind result in a servfail instead of returning the record when the cache expires. Version-Release number of selected component (if applicable): I think we have isolated this to bind93-CVE-2016-8864.patch being applied. bind-9.3.6-25.P1.el5_11.11 How reproducible: 100% reproducible. Steps to Reproduce: 1. Install and setup bind to be a caching forwarder to any DNS service (googles DNS at 8.8.8.8 is reliable) using forward only. 2. On a separate DNS service, create a record (uses 2 zones) which looks like this (set the TTL to 0 to reproduce every time. You will get intermittent responses if you have a cacheable TTL): abc4.test.stevenngo.me. IN CNAME roy.osd.test.stevenngo.me. osd.test.stevenngo.me. IN DNAME test2.stevenngo.me. roy.test2.stevenngo.me. IN A 12.12.12.12 3. send a dig through your recursive resolver in an attempt to resolve the request. Actual results: [root@ip-172-31-53-34 etc]# dig @localhost abc4.test.stevenngo.me. ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.11 <<>> @localhost abc4.test.stevenngo.me. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61216 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;abc4.test.stevenngo.me. IN A ;; Query time: 53 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Nov 29 10:47:51 2016 ;; MSG SIZE rcvd: 40 [root@ip-172-31-53-34 etc]# Expected results: [root@ip-172-31-53-34 etc]# dig @8.8.8.8 abc4.test.stevenngo.me. ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.11 <<>> @8.8.8.8 abc4.test.stevenngo.me. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5920 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;abc4.test.stevenngo.me. IN A ;; ANSWER SECTION: abc4.test.stevenngo.me. 0 IN CNAME roy.osd.test.stevenngo.me. osd.test.stevenngo.me. 0 IN DNAME test2.stevenngo.me. roy.osd.test.stevenngo.me. 0 IN CNAME roy.test2.stevenngo.me. roy.test2.stevenngo.me. 0 IN A 12.12.12.12 ;; Query time: 27 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Nov 29 10:48:53 2016 ;; MSG SIZE rcvd: 134 [root@ip-172-31-53-34 etc]# Additional info: [root@ip-172-31-53-34 etc]# rpm -qa | grep bind bind-chroot-9.3.6-25.P1.el5_11.11 bind-libs-9.3.6-25.P1.el5_11.11 bind-9.3.6-25.P1.el5_11.11 bind-utils-9.3.6-25.P1.el5_11.11 [root@ip-172-31-53-34 etc]# [root@ip-172-31-53-34 etc]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.11 (Tikanga) [root@ip-172-31-53-34 etc]# [root@ip-172-31-53-34 etc]# cat named.conf options { directory "/var/named"; version "get lost"; recursion yes; allow-transfer {"none";}; allow-recursion {127.0.0.1/32;}; forwarders { 8.8.8.8; 8.8.4.4; }; forward only; }; include "/etc/named.root.hints"; [root@ip-172-31-53-34 etc]#