Bug 1787755

Summary: Any subdomain occurence in update-policy is breaking ms-self dynamic grant policy
Product: Red Hat Enterprise Linux 8 Reporter: vaclav
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: medium    
Version: 8.2CC: aegorenk
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-05 07:30:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description vaclav 2020-01-05 02:10:35 UTC 
I just migrated our dns configuration from 6 to 8. Our dynamic dns updates from Windows machines stopped working. We use KRB5 keytab, gss updates. After some investigation I found that after commenting all "deny subdomain lines it started to work again".

This is working:
        update-policy {
                grant ad1$@MY.DOMAIN subdomain my.domain. ANY;
                grant ad2$@MY.DOMAIN subdomain my.domain. ANY;
                grant dc1$@MY.DOMAIN subdomain my.domain. ANY;
                grant dc2$@MY.DOMAIN subdomain my.domain. ANY;
                deny * name ad1.my.domain. ANY;
                deny * name ad2.my.domain. ANY;
                deny * name dc1.my.domain. ANY;
                deny * name dc2.my.domain. ANY;
                grant MY.DOMAIN ms-self . A AAAA;
        };

It logs "view internal: update 'my.domain/IN' denied" but updates works well.


BUT with this ms-self clause IS NOT working:
        update-policy {
                grant ad1$@MY.DOMAIN subdomain my.domain. ANY;
                grant ad2$@MY.DOMAIN subdomain my.domain. ANY;
                grant dc1$@MY.DOMAIN subdomain my.domain. ANY;
                grant dc2$@MY.DOMAIN subdomain my.domain. ANY;
                deny * name ad1.my.domain. ANY;
                deny * name ad2.my.domain. ANY;
                deny * name dc1.my.domain. ANY;
                deny * name dc2.my.domain. ANY;
                deny * subdomain anything.really.does.not.matter.what. ANY;
                grant MY.DOMAIN ms-self . A AAAA;
        };

Bind is logging "update failed: rejected by secure update (REFUSED)".

It really does not matter what subdomain I put into subdomain line, every subdomain option breaks policies following that line. Btw. it was working fine in major version 6.

Bind version: BIND 9.11.4-P2-RedHat-9.11.4-17.P2.el8_0.1
Comment 1 Petr Menšík 2020-09-24 20:56:03 UTC 
I have tried reproducing it on freeipa instance, but could not reproduce this issue.

BIND update policy: deny * subdomain anything.really.does.not.matter.what. ANY; grant IPA.TEST krb5-self * A; grant IPA.TEST krb5-self * AAAA; grant IPA.TEST krb5-self *
                      SSHFP;

With this, update worked just fine. If it is ms kerberos specific problem, it would take more time to validate.
Comment 6 RHEL Program Management 2021-07-05 07:30:04 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.