Bug 733371
Summary: | DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Martin Kosek <mkosek> |
Component: | bind-dyndb-ldap | Assignee: | Adam Tkac <atkac> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.2 | CC: | batkisso, benl, dpal, grajaiya, jgalipea, lucas.yamanishi, ovasik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 13:51:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 667729, 701677, 756082, 767486 |
Description
Martin Kosek
2011-08-25 15:08:02 UTC
*** Bug 766233 has been marked as a duplicate of this bug. *** During the implementation of this feature we also found that the bind-dyndb-ldap plugin does not accept loopback address in allow-query or allow-transfer ACL. Therefore, IPA server framework rejects loopback addresses and "ipa dnszone-mod --allow-query=127.0.0.1" will return a validation error. To verify this bug, please test with non-loopback addresses (like 10.0.0.1) and test the the ACL works correctly, i.e. when allow-query is set to for example "10.0.0.1;none;" it is really resolvable only from machine with IP 10.0.0.1, etc. (In reply to comment #8) > During the implementation of this feature we also found that the > bind-dyndb-ldap plugin does not accept loopback address in allow-query or > allow-transfer ACL. Therefore, IPA server framework rejects loopback addresses > and "ipa dnszone-mod --allow-query=127.0.0.1" will return a validation error. This should work, I've just tested it with the latest & greatest bind-dyndb-ldap-1.1.0-0.9.b1.fc16 (RHEL 6.3 package is same). I have zone atkac.brq.redhat.com. which contains following: [atkac@ipa ~]$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=atkac,dc=brq,dc=redhat,dc=com' ... # atkac.brq.redhat.com, dns, atkac.brq.redhat.com dn: idnsname=atkac.brq.redhat.com,cn=dns,dc=atkac,dc=brq,dc=redhat,dc=com idnsZoneActive: TRUE ... idnsAllowQuery: 127.0.0.1; ... and named behaves as expected (i.e. only queries from 127.0.0.1 are allowed). verified :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-dns-171 Bug 733371 - DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: verifies https://bugzilla.redhat.com/show_bug.cgi?id=733371 :: [ PASS ] :: Running 'ipa dnszone-add example.com --name-server=dhcp-185-247.testrelm.com --admin-email=admin' :: [ PASS ] :: Running 'ipa dnsrecord-add example.com foo --a-rec=10.0.1.1' :: [ PASS ] :: Running 'ipa dnszone-mod example.com --allow-query=10.16.185.247' :: [ PASS ] :: Running 'service named reload' :: [ PASS ] :: Running 'dig +short -t A foo.example.com | grep 10.0.1.1' :: [ PASS ] :: Running 'ipa dnszone-mod example.com --allow-query=10.0.1.1' :: [ PASS ] :: Running 'service named reload' :: [ PASS ] :: Running 'nslookup foo.example.com | grep "server can't find foo.example.com"' :: [ PASS ] :: Running 'ipa dnszone-del example.com' :: [ LOG ] :: Duration: 27s :: [ LOG ] :: Assertions: 9 good, 0 bad :: [ PASS ] :: RESULT: ipa-dns-171 Bug 733371 - DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled version :: ipa-server-2.2.0-11.el6.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0837.html |