Bug 921167
Summary: | update-policy with match type 'zonesub' crashes BIND with bind-dyndb-ldap | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Najmuddin Chirammal <nc> |
Component: | bind-dyndb-ldap | Assignee: | Petr Spacek <pspacek> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.3 | CC: | dpal, pspacek, sradvan, yjog |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
The bind-dyndb-ldap plug-in processed update policies with match-type 'zonesub' incorrectly.
Consequence:
The problem led to the BIND daemon terminating unexpectedly during update-policy processing.
Fix:
The bind-dyndb-ldap plug-in has been fixed to process update-policy with match-type 'zonesub' correctly.
Result:
The bind-dyndb-ldap plug-in no longer crashes during update-policy processing.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-11-21 12:10:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 835616, 883504, 960054 |
Comment 3
Petr Spacek
2013-03-13 19:07:32 UTC
Upstream ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/111 Match type 'zonesub' is not handled properly. Workaround: Replace 'zonesub' with 'subdomain' match type. E.g. for zone 'example.com' use following update policy: grant keyname subdomain example.com; Result: Update requests signed by key 'keyname' are allowed to change all records in zone 'example.com'. Fixed in upstream by commit 55b623b947b8bef1eb31ad6cd4efe1b846c036c4. Using ipa-server-3.0.0-33.el6.x86_64, followed steps: # cat /etc/named.conf <snip> ... key selfupdate { algorithm hmac-md5; secret "05Fu1ACKv1/1Ag=="; }; # ipa dnszone-mod testrelm.com --update-policy="grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; grant selfupdate zonesub A;" Zone name: testrelm.com Authoritative nameserver: mgmt6.testrelm.com. Administrator e-mail address: hostmaster.testrelm.com. SOA serial: 1377713531 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; grant selfupdate zonesub A; Active zone: TRUE Allow query: any; Allow transfer: none; # service named restart Stopping named: .[ OK ] Starting named: [ OK ] # ipa dnszone-show testrelm.com --all dn: idnsname=testrelm.com,cn=dns,dc=testrelm,dc=com Zone name: testrelm.com Authoritative nameserver: mgmt6.testrelm.com. Administrator e-mail address: hostmaster.testrelm.com. SOA serial: 1377715681 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; grant selfupdate zonesub A; Active zone: TRUE Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: mgmt6.testrelm.com. objectclass: top, idnsrecord, idnszone named restarted successfuly Verified further. After the above steps, did further verification: # cat dnsupdate.txt server ipaqa64vme.testrelm.com zone testrelm.com key selfupdate 05Fu1ACKv1/1Ag== update add foo.testrelm.com. 60 IN A <IPADDR> send # nsupdate -v -D dnsupdate.txt Verified "Outgoing" and "Reply" results (similar to dig output). Since the update wad successful, got NOERROR. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1636.html |