Bug 733371

Summary: DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled
Product: Red Hat Enterprise Linux 6 Reporter: Martin Kosek <mkosek>
Component: bind-dyndb-ldapAssignee: Adam Tkac <atkac>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 6.2CC: batkisso, benl, dpal, grajaiya, jgalipea, lucas.yamanishi, ovasik
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:51:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 667729, 701677, 756082, 767486    

Description Martin Kosek 2011-08-25 15:08:02 UTC 
Description of problem:
BZ 667729 allowed specifying query and transfer policy settings for a zone. However, this does not work when integrated into FreeIPA. After the FreeIPA DS schema was enhanced with new attributeTypes/objectClasses and a value was added to idnsAllowQuery/idnsAllowTransfer, bind-dyndb-ldap plugin did not load any zone with following error in /var/log/messages:

Aug 25 10:13:15 vm-063 named[31447]: received SIGHUP signal to reload zones
Aug 25 10:13:15 vm-063 named[31447]: loading configuration from '/etc/named.conf'
Aug 25 10:13:15 vm-063 named[31447]: using default UDP/IPv4 port range: [1024, 65535]
Aug 25 10:13:15 vm-063 named[31447]: using default UDP/IPv6 port range: [1024, 65535]

>>> Aug 25 10:13:15 vm-063 named[31447]: no valid zones found

Aug 25 10:13:15 vm-063 named[31447]: none:0: open: /etc/rndc.key: file not found
Aug 25 10:13:15 vm-063 named[31447]: couldn't add command channel 127.0.0.1#953: file not found
Aug 25 10:13:15 vm-063 named[31447]: none:0: open: /etc/rndc.key: file not found
Aug 25 10:13:15 vm-063 named[31447]: couldn't add command channel ::1#953: file not found
Aug 25 10:13:15 vm-063 named[31447]: zone 78.16.10.in-addr.arpa/IN: (master) removed
Aug 25 10:13:15 vm-063 named[31447]: zone example.com/IN: (master) removed
Aug 25 10:13:15 vm-063 named[31447]: zone idm.lab.bos.redhat.com/IN: (master) removed
Aug 25 10:13:15 vm-063 named[31447]: reloading configuration succeeded
Aug 25 10:13:15 vm-063 named[31447]: reloading zones succeeded

If the idnsAllowQuery is cleared and name server is reloaded, zones are resolvable again.

LDAPsearch for relevant LDAP object:

# example.com, dns, idm.lab.bos.redhat.com
dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: vm-063.idm.lab.bos.redhat.com.
idnsSOAserial: 2011250801
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: example.com
idnsSOAmName: vm-063.idm.lab.bos.redhat.com.
idnsSOArName: root.example.com.
idnsAllowDynUpdate: FALSE
idnsAllowQuery: 127.0.0.1

Relevant attributes from enhanced FreeIPA DS cn=schema:
attributeTypes: ( 2.16.840.1.113730.3.8.5.11 NAME 'idnsAllowQuery' DESC 'BIND9
  allow-query ACL element' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466
 .115.121.1.26 X-ORIGIN ( 'IPA v2 - bind-dyndb-ldap schema' 'user defined' ) )
attributeTypes: ( 2.16.840.1.113730.3.8.5.12 NAME 'idnsAllowTransfer' DESC 'BI
 ND9 allow-transfer ACL element' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.26 X-ORIGIN ( 'IPA v2 - bind-dyndb-ldap schema' 'user define
 d' ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' S
 UP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName 
 $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAmini
 mum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer ) X-ORIGIN 
 'IPA v2 - bind-dyndb-ldap schema' )


Version-Release number of selected component (if applicable):
bind-dyndb-ldap-0.2.0-3.el6.x86_64

How reproducible:


Steps to Reproduce:
1. Install FreeIPA with the enhancement from build I will provide
2. Configure FreeIPA ipa-server-install --setup-dns which will configured FreeIPA with DNS support
3. Add new zone with "ipa dnszone-add example.com"
4. Fill idnsAllowQuery attribute with "ipa dnszone-mod --allow-query=127.0.0.1
5. Reload name server with "service named reload"
6. Check that example.com is resolvable

Actual results:
Zones are not loaded (see /var/log/messages), no zone defined by FreeIPA is resolvable

Expected results:
Every zone is resolvable, zone example.com is resolvable from localhost only

Additional info:
Comment 5 Dmitri Pal 2011-12-11 19:03:27 UTC 
*** Bug 766233 has been marked as a duplicate of this bug. ***
Comment 8 Martin Kosek 2012-03-06 13:19:26 UTC 
During the implementation of this feature we also found that the bind-dyndb-ldap plugin does not accept loopback address in allow-query or allow-transfer ACL. Therefore, IPA server framework rejects loopback addresses and "ipa dnszone-mod --allow-query=127.0.0.1" will return a validation error.

To verify this bug, please test with non-loopback addresses (like 10.0.0.1) and test the the ACL works correctly, i.e. when allow-query is set to for example "10.0.0.1;none;" it is really resolvable only from machine with IP 10.0.0.1, etc.
Comment 9 Adam Tkac 2012-03-08 14:30:47 UTC 
(In reply to comment #8)
> During the implementation of this feature we also found that the
> bind-dyndb-ldap plugin does not accept loopback address in allow-query or
> allow-transfer ACL. Therefore, IPA server framework rejects loopback addresses
> and "ipa dnszone-mod --allow-query=127.0.0.1" will return a validation error.

This should work, I've just tested it with the latest & greatest bind-dyndb-ldap-1.1.0-0.9.b1.fc16 (RHEL 6.3 package is same).

I have zone atkac.brq.redhat.com. which contains following:

[atkac@ipa ~]$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=atkac,dc=brq,dc=redhat,dc=com'
...
# atkac.brq.redhat.com, dns, atkac.brq.redhat.com
dn: idnsname=atkac.brq.redhat.com,cn=dns,dc=atkac,dc=brq,dc=redhat,dc=com
idnsZoneActive: TRUE
...
idnsAllowQuery: 127.0.0.1;
...

and named behaves as expected (i.e. only queries from 127.0.0.1 are allowed).
Comment 10 Jenny Severance 2012-04-24 18:54:21 UTC 
verified ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-dns-171 Bug 733371 - DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: verifies https://bugzilla.redhat.com/show_bug.cgi?id=733371
:: [   PASS   ] :: Running 'ipa dnszone-add example.com --name-server=dhcp-185-247.testrelm.com --admin-email=admin'
:: [   PASS   ] :: Running 'ipa dnsrecord-add example.com foo --a-rec=10.0.1.1'
:: [   PASS   ] :: Running 'ipa dnszone-mod example.com --allow-query=10.16.185.247'
:: [   PASS   ] :: Running 'service named reload'
:: [   PASS   ] :: Running 'dig +short -t A foo.example.com | grep 10.0.1.1'
:: [   PASS   ] :: Running 'ipa dnszone-mod example.com --allow-query=10.0.1.1'
:: [   PASS   ] :: Running 'service named reload'
:: [   PASS   ] :: Running 'nslookup foo.example.com | grep "server can't find foo.example.com"'
:: [   PASS   ] :: Running 'ipa dnszone-del example.com'
:: [   LOG    ] :: Duration: 27s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-dns-171 Bug 733371 - DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled


version ::

ipa-server-2.2.0-11.el6.x86_64
Comment 12 errata-xmlrpc 2012-06-20 13:51:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0837.html