Bug 958142

Summary: TTL values > 2^31-1 are not handled properly
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: bind-dyndb-ldapAssignee: Petr Spacek <pspacek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: pspacek, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-dyndb-ldap-3.5-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:11:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-04-30 13:25:25 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/117

Bind-dyndb-ldap violates [[http://tools.ietf.org/html/rfc2181#section-8|RFC 2181 section 8]]: TTL values > 2^31^-1 are not truncated to 0 as the standard prescribes.

The problem: Records with `dnsTTL` attribute TTL > 2147483647 are sent to clients with TTL value outside allowed range:
{{{
test.example.com.	2147483648 IN	A	192.0.2.55
}}}

All values higher than 2147483647 should be truncated to 0:
{{{
test.example.com.	0          IN	A	192.0.2.55
}}}
Comment 1 Namita Soman 2013-04-30 18:37:13 UTC 
Please provide steps to help verify this
Comment 3 Petr Spacek 2013-05-02 08:44:59 UTC 
According to the description in the upstream ticket:
Create a DNS record with TTL value > 2147483647 and then 'dig' for the new record.

Some IPA versions do not allow you to create such record, but you can create ordinary record and then use ldapmodify do to raise the TTL value.
Comment 4 Petr Spacek 2013-05-21 11:44:36 UTC 
Fixed upstream by commit ccc439e5a5d8d2e0e6dbcb85351f48c501fdad03.
Comment 5 Xiyang Dong 2014-01-13 21:11:31 UTC 
Verified on :
ipa-server-3.3.3-6.el7.x86_64
bind-dyndb-ldap-3.5-2.el7.x86_64

[root@70master acceptance]# ipa dnsrecord-add testrelm.com bz958142 --a-rec=1.2.3.4
  Record name: bz958142
  A record: 1.2.3.4
[root@70master acceptance]# dig bz958142.testrelm.com

; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> bz958142.testrelm.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bz958142.testrelm.com.		IN	A

;; ANSWER SECTION:
bz958142.testrelm.com.	86400	IN	A	1.2.3.4

;; AUTHORITY SECTION:
testrelm.com.		86400	IN	NS	70master.testrelm.com.

;; ADDITIONAL SECTION:
70master.testrelm.com.	1200	IN	A	10.18.57.215

;; Query time: 1 msec
;; SERVER: 10.18.57.215#53(10.18.57.215)
;; WHEN: Mon Jan 13 16:03:48 EST 2014
;; MSG SIZE  rcvd: 105

[root@70master acceptance]#  ldapsearch -x -D "cn=Directory Manager" -w Secret123|grep bz958142 -C 1

# bz958142, testrelm.com, dns, testrelm.com
dn: idnsname=bz958142,idnsname=testrelm.com,cn=dns,dc=testrelm,dc=com
objectClass: top
objectClass: idnsrecord
aRecord: 1.2.3.4
idnsName: bz958142

[root@70master acceptance]# cat abc.ldif 
dn: idnsname=bz958142,idnsname=testrelm.com,cn=dns,dc=testrelm,dc=com
changetype: modify
replace: dNSTTL
dNSTTL: 2147483648

[root@70master acceptance]# ldapmodify -x -D "cn=Directory Manager" -w Secret123  -f abc.ldif 
modifying entry "idnsname=bz958142,idnsname=testrelm.com,cn=dns,dc=testrelm,dc=com"

[root@70master acceptance]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful

[root@70master acceptance]#  ldapsearch -x -D "cn=Directory Manager" -w Secret123|grep bz958142 -C 1

# bz958142, testrelm.com, dns, testrelm.com
dn: idnsname=bz958142,idnsname=testrelm.com,cn=dns,dc=testrelm,dc=com
objectClass: top
objectClass: idnsrecord
aRecord: 1.2.3.4
idnsName: bz958142
dNSTTL: 2147483648

[root@70master acceptance]# dig bz958142.testrelm.com

; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> bz958142.testrelm.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38951
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bz958142.testrelm.com.		IN	A

;; ANSWER SECTION:
bz958142.testrelm.com.	0	IN	A	1.2.3.4

;; AUTHORITY SECTION:
testrelm.com.		86400	IN	NS	70master.testrelm.com.

;; ADDITIONAL SECTION:
70master.testrelm.com.	1200	IN	A	10.18.57.215

;; Query time: 1 msec
;; SERVER: 10.18.57.215#53(10.18.57.215)
;; WHEN: Mon Jan 13 16:11:52 EST 2014
;; MSG SIZE  rcvd: 105
Comment 6 Ludek Smid 2014-06-13 11:11:39 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.