Bug 750947

Summary: Adding loc records to a ipa-dns server breaks name resolution for some other records.
Product: Red Hat Enterprise Linux 6 Reporter: Michael Gregg <mgregg>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.1CC: atkac, grajaiya, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-3.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:16:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 751776    
Bug Blocks: 756082    

Description Michael Gregg 2011-11-02 23:00:55 UTC 
Description of problem:
After I add a loc record to a ipa-integrated dns server, I am unable to use the dns server properly. 

This bug might apply to the bind-dyndb-ldap instead of ipa

Version-Release number of selected component (if applicable):
ipa-server-2.1.4-101.20111102T0110zgitc10db54.el6.x86_64
bind-dyndb-ldap-1.0.0-0.2.b1.20111102T0032z.el6.x86_64

How reproducible:
often.

Steps to Reproduce:
1. add a new zone
2.  add a loc record
3. restart bind
4. dig for the loc record. This should work.
5. add a kx record
6. restart bind
7. dig for the loc record again. (this will probably fail) 
  
Actual results:
Step 4 finds the loc record, where step 7 does not. 

Expected results:


Additional info:
This can be reproduced using the following script on a configured ipa-server

      ipaddr=`hostname`
        zone=newzone
        email="ipaqar.redhat.com"
        serial=2010010701
        refresh=303
        retry=101
        expire=1202
        minimum=33
        ttl=55
        zone=newzone
# step 1
ipa dnszone-add --name-server=$ipaddr --admin-email=$email --serial=$serial --refresh=$refresh --retry=$retry --expire=$expire --minimum=$minimum --ttl=$ttl $zone
        loclat="121"
        loclong="59"
        loc="37 23 30.900 N $loclat $loclong 19.000 W 7.00m 100.00m 100.00m 2.00m"
# setp 2
       ipa dnsrecord-add $zone @ --loc-rec "$loc"
# step 3
       /etc/init.d/named restart
# step 4
       dig $zone LOC
#step 5
       kxpref1="12345678"
       a="1.2.3.4"
       ipa dnsrecord-add $zone @ --kx-rec "$kxpref1 $a"
# step 6
       /etc/init.d/named restart
# step 7
       dig $zone LOC
Comment 2 Martin Kosek 2011-11-03 12:50:32 UTC 
I think the name server behaves as expected.

The KX records you added for the zone is not valid. Only values between 0 and 65535 are allowed for the KX preference field. 12345678 is out of this range. Invalid record in a zone caused the entire zone not to be loaded (including LOC record).

Improved validation of complex DNS records is planned for RHEL 6.3.0. You can check a relevant upstream ticket:

https://fedorahosted.org/freeipa/ticket/1106

An upstream patch which would detect this invalid KX record value was already sent to freeipa-devel list. If you don't mind, I will close this BZ as a duplicate to Bug 738788 you reported, which already deals with DNS record validation and KX record specifically.
Comment 3 Michael Gregg 2011-11-03 22:22:17 UTC 
Invalid or not, is it correct for the addition of a KX record to break name resolution for other record types?
Comment 4 Martin Kosek 2011-11-04 08:28:10 UTC 
That's a good question.

Adam, do you think that we could modify bind-dyndb-ldap to ignore the invalid DNS record instead of breaking the whole zone? Is it a good idea?
Comment 5 Adam Tkac 2011-11-04 09:09:58 UTC 
(In reply to comment #4)
> That's a good question.
> 
> Adam, do you think that we could modify bind-dyndb-ldap to ignore the invalid
> DNS record instead of breaking the whole zone? Is it a good idea?

It should be possible to ignore invalid record with warning. However I'm not sure this is the right thing.

When user tries to add a bad record, I think he expects immediate error message, not run-time error message from named in /var/log/messages...

Currently I see two correct ways how to deal with this:

1. don't modify records directly in LDAP, use nsupdate utility instead of this. This way you can catch bad records early (named validates each DDNS update sent via nsupdate). Btw I think this is the right way if I think about serving of DNSSEC-signed zones by IPA. If you modify records in LDAP, you must also create/modify it's signatures. BIND can do this for us so why not to use it...

2. implement some kind of checking in the ipa utility. In my opinion this is more painful way than the "1.", especially when thing about DNSSEC because you will have to compute & create signatures.
Comment 8 Martin Kosek 2011-11-07 08:17:28 UTC 
Adam, you have a point. But there will need to be a technical discussion about possibility #1.

For this moment, I will leave this bug as is until we resolve it.
Comment 9 Martin Kosek 2011-11-07 14:40:07 UTC 
We discussed this with Adam today. We both think that the best solution here would be to go with option #2 + enhance bind-dyndb-ldap plugin to rather ignore invalid zone records and print an error to /var/log/messages than to skip the whole zone (Bug 751776). This behavior should be then properly documented in IPA guide.
Comment 10 Martin Kosek 2011-11-07 14:54:49 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2072
Comment 11 Michael Gregg 2011-11-07 19:52:20 UTC 
The proposed resolution for this ticket sounds like a good one. 

Given that this bug only comes up when a user uses invalid dns input, I think that we can set the priority on this bug to medium or low.
Comment 12 Martin Kosek 2011-11-08 08:24:15 UTC 
The good thing is also that ipa-server in 6.3.0 will introduce improved validation of DNS records. You can check upstream ticket there:

https://fedorahosted.org/freeipa/ticket/1106

ipa then won't let you add an invalid KX record like the one you entered.
Comment 13 Rob Crittenden 2011-11-11 16:59:23 UTC 
Validation fixed upstream:

master: efc3e2c1f7a3dcf5e94736395d39e1fa2800a490
Comment 14 Michael Gregg 2011-12-22 20:40:12 UTC 
tests ipa-dns-151 through ipa-dns-154 specifically to test this bug added here: https://beaker.engineering.redhat.com/tasks/4926
Comment 15 Martin Kosek 2012-02-24 09:01:21 UTC 
Fixed upstream:

master: 1816643a43802ca2a353930cb2bbb2781b39c80f
ipa-2-2: bd09e542493f67df4829ae58f2c78ee44bfbc677
Comment 18 Martin Kosek 2012-04-19 11:34:02 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 19 Jenny Severance 2012-04-27 18:27:21 UTC 
verified ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz750947 Adding loc records to a ipa-dns server breaks name resolution for some other records
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'ipa dnsrecord-add newzone aaaa --aaaa-rec="fec0:0:a10:6000:11:16ff:fe98:122"'
:: [   PASS   ] :: make sure ipa recieved record type AAAA
:: [   PASS   ] :: Restart named
:: [   PASS   ] :: make sure dig can find the AAAA record
:: [   PASS   ] :: delete the AAAA record added
:: [   LOG    ] :: Duration: 22s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: bz750947 Adding loc records to a ipa-dns server breaks name resolution for some other records


version ::
ipa-server-2.2.0-11.el6.x86_64
Comment 22 errata-xmlrpc 2012-06-20 13:16:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html