Bug 392491

Summary: view address match list isn't working properly
Product: [Fedora] Fedora Reporter: Jonathan Kamens <h1k6zn2m>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 9.5.0-20.b1.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-20 15:24:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
named configuration file
none
named.run file showing errors at the bottom about no matching view none

Description Jonathan Kamens 2007-11-20 14:50:18 UTC 
With this in one of my views in named.conf:

	match-clients { !192.168.0.0/24; !66.92.74.180; !127.0.0.0/24; any; };

queries from 192.168.3.2 are rejected:

	client 192.168.3.2#1061: no matching view in class 'IN'

If I remove the !192.168.0.0/24; the problem goes away.  I hope it's obvious
that 192.168.3.2 is not in the CIDR block "192.168.0.0/24" :-).  This broke when
I upgraded to bind-9.5.0-17.a7.fc9.

I'm marking this urgent because I imagine that if address match lists aren't
working here, they're probably not working elsewhere as well, and this is a
security issue.

  jik
Comment 1 Adam Tkac 2007-11-20 18:18:55 UTC 
I tried to reproduce this issue but I wasn't successful. Could you please attach
configuration files and log?

Thanks, Adam
Comment 2 Jonathan Kamens 2007-11-26 10:27:35 UTC 
Created attachment 268751 [details]
named configuration file
Comment 3 Jonathan Kamens 2007-11-26 10:28:01 UTC 
Created attachment 268761 [details]
named.run file showing errors at the bottom about no matching view
Comment 4 Adam Tkac 2007-11-28 17:40:38 UTC 
Upstream doesn't think this is security issue. They fixed it today in CVS and I
will wait to 9.5.0b1. You should have only any; acl in external view (please see
example on http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#view_statement_grammar)

Thanks for your report
Comment 5 Fedora Update System 2007-12-07 21:30:13 UTC 
bind-9.5.0-19.b1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'
Comment 6 Fedora Update System 2007-12-20 19:49:11 UTC 
bind-9.5.0-20.b1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.