Bug 1848169

Summary: named-checkconf fails to validate configuration file with CIDRs with host bits set
Product: Red Hat Enterprise Linux 8 Reporter: Carlos Goncalves <cgoncalves>
Component: bindAssignee: Tomas Korbar <tkorbar>
Status: CLOSED ERRATA QA Contact: Petr Sklenar <psklenar>
Severity: high Docs Contact:
Priority: high    
Version: 8.2CC: aegorenk, jjoyce, pemensik, psklenar, thozza, tkorbar, whayutin
Target Milestone: rcKeywords: Patch, Regression, TestCaseProvided, Triaged, ZStream
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-9.11.20-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1865785 (view as bug list) Environment:
Last Closed: 2020-11-04 01:50:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1771008, 1865785    

Description Carlos Goncalves 2020-06-17 20:31:22 UTC 
Bind fails to validate a configuration file when host bits in CIDRs are set (e.g. 172.17.1.1/24). This is a regression after updating from bind-9.11.4-26.P2.el8 (RHEL 8.1) to bind-9.11.13-3.el8 (RHEL 8.2).

This upstream cherry-pick appears to have introduced the regression:
https://github.com/isc-projects/bind9/commit/42f998ee14bab9fb8db32f17e59409d4a9593e74

Version-Release number of selected component (if applicable):
bind-9.11.13-3.el8

How reproducible: 100%

Steps to Reproduce:
1. Install bind-9.11.13-3.el8
2. Use sample configuration file in "Additional info" below
3. Validate configuration file with "named-checkconf"

Actual results:

named-checkconf exits with status error code.

# named-checkconf bad.conf; echo $?
bad.conf:6: '172.17.1.1/24': address/prefix length mismatch '24'
1


Expected results:

This is the result when downgraded to bind-9.11.4-26.P2.el8:

# named-checkconf bad.conf; echo $?
bad.conf:6: '172.17.1.1/24': address/prefix length mismatch
0

Additional info:

# cat bad.conf 
controls  {
        inet 172.17.1.98 port 953 allow { 172.17.1.1/24; };
};
Comment 1 Michael Johnson 2020-06-17 20:35:35 UTC 
FYI, there is an upstream fix for this already merged on the v9_11 branch that I have confirmed resolves the issue:

https://gitlab.isc.org/isc-projects/bind9/-/commit/7e2d9531a79d289ee99dd436da14efb6d9a505fc

$ ./named-checkconf bad-named.conf 
bad-named.conf:4: '192.168.24.1/24': address/prefix length mismatch
[johnsom@workstation check]$ echo $?
0

Checking out the SHA before 7e2d9531a79d289ee99dd436da14efb6d9a505fc shows the regression:

$ ./named-checkconf /tmp/bad-named.conf 
/tmp/bad-named.conf:4: '192.168.24.1/24': address/prefix length mismatch '24'
[johnsom@workstation check]$ echo $?
1
Comment 20 errata-xmlrpc 2020-11-04 01:50:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: bind security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4500