Bug 962815

Summary: Serving reverse zones for private ranges requires manual change in named.conf
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: bind-dyndb-ldapAssignee: Petr Spacek <pspacek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: pspacek, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-dyndb-ldap-3.5-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:25:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-05-14 13:36:01 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/119

From BIND version 9.9, the "automatic empty zones" defined in [http://tools.ietf.org/html/rfc6303 RFC 6303] are automatically enabled.

This prevents bind-dyndb-ldap from loading reverse zones listed in [http://tools.ietf.org/html/rfc6303#section-4 RFC 6303 section 4].


=== Workaround ===
Add line like
{{{
disable-empty-zone "8.b.d.0.1.0.0.2.ip6.arpa.";
}}}
to `/etc/named.conf` for each 'local' reverse zone in LDAP.

=== Further reading  ===
* https://kb.isc.org/article/AA-00800 (free registration required)
Comment 1 Namita Soman 2013-05-15 12:57:25 UTC 
Please provide steps to verify...thanks!
Comment 2 Petr Spacek 2013-05-15 13:03:53 UTC 
I updated the upsteam ticket:

Steps to reproduce:
*    Add e.g. reverse zone 8.b.d.0.1.0.0.2.ip6.arpa. to IPA DNS
*    Add arbitrary record to the reverse zone
*    Try to dig the record or read logs from named: Zone is not loaded and records are not available to clients, because default empty zones are loaded before zones from IPA DNS
Comment 3 Petr Spacek 2013-05-29 14:53:17 UTC 
Upstream ticket was closed
Comment 4 Xiyang Dong 2014-02-19 15:17:43 UTC 
I added the example reverse zone but seems it's loaded
[root@70master pki]# rpm -q bind bind-dyndb-ldap
bind-9.9.4-9.el7.x86_64
bind-dyndb-ldap-3.5-2.el7.x86_64

[root@70master ~]# testReverseZone=8.B.D.0.1.0.0.2.IP6.ARPA.
[root@70master ~]# ipa dnszone-add $testReverseZone --admin-email=hostmaster.$testReverseZone --name-server=70master.testrelm.com.
  Zone name: 8.b.d.0.1.0.0.2.ip6.arpa.
  Authoritative nameserver: 70master.testrelm.com.
  Administrator e-mail address: hostmaster.8.B.D.0.1.0.0.2.IP6.ARPA.
  SOA serial: 1392819531
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-subdomain 8.b.d.0.1.0.0.2.ip6.arpa. PTR;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

[root@70master ~]# cat /var/log/messages|tail -2
Feb 19 09:18:46 70master avahi-daemon[588]: Registering new address record for fe80::5054:ff:fe22:47c5 on eth0.*.
Feb 19 09:18:51 70master named[30360]: zone 8.b.d.0.1.0.0.2.ip6.arpa/IN: loaded serial 1392819531
Comment 5 Petr Spacek 2014-02-19 15:36:44 UTC 
Please see "Fixed In Version" field in this bug.
Comment 6 Xiyang Dong 2014-02-19 15:59:57 UTC 
it's saying fixed in bind-dyndb-ldap-3.5-1.el7
while my machine has bind-dyndb-ldap-3.5-2.el7.x86_64
Comment 7 Petr Spacek 2014-02-19 16:15:53 UTC 
It means that version you use contains a fix already, so you can't see the problem.
Comment 8 Xiyang Dong 2014-02-19 17:23:36 UTC 
Verified on:
[root@70master pki]# rpm -q bind bind-dyndb-ldap
bind-9.9.4-9.el7.x86_64
bind-dyndb-ldap-3.5-2.el7.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz962815 - Serving reverse zones for private ranges requires manual change in named.conf
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 12:16:02 ] ::  execute expect file: /tmp/kinit.861.exp

set timeout 30
set force_conservative 0 
set send_slow {1 .001} 
spawn /usr/bin/kinit -V admin
expect Password for *
send -s -- Secret123\r
expect eof 
spawn /usr/bin/kinit -V admin
SeUsing existing cache: persistent:0:0
Using principal: admin
cretPassword for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 12:16:02 ] ::  Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
  Zone name: 8.b.d.0.1.0.0.2.ip6.arpa
  Authoritative nameserver: 70master.testrelm.com.
  Administrator e-mail address: hostmaster.8.b.d.0.1.0.0.2.ip6.arpa.
  SOA serial: 1392830164
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-subdomain 8.b.d.0.1.0.0.2.ip6.arpa PTR;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: Add test reverse zone (Expected 0, got 0)
Feb 19 12:16:03 70master named[30360]: zone 8.b.d.0.1.0.0.2.ip6.arpa/IN: loaded serial 1392830163
:: [   PASS   ] :: Make sure this zone in the automatic empty zones is loaded after added to IPA DNS (Expected 0, got 0)
Comment 9 Petr Spacek 2014-02-19 18:19:06 UTC 
Unfortunatelly, you didn't follow all the steps to reproduce:

(In reply to Petr Spacek from comment #2)
> I updated the upsteam ticket:
> 
> Steps to reproduce:
> *    Add e.g. reverse zone 8.b.d.0.1.0.0.2.ip6.arpa. to IPA DNS
> *    Add arbitrary record to the reverse zone
> *    Try to dig the record or read logs from named: Zone is not loaded and
> records are not available to clients, because default empty zones are loaded
> before zones from IPA DNS

Please do second and third step and make sure that added zone really works.
Comment 10 Xiyang Dong 2014-02-19 20:11:02 UTC 
Second and third step added:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz962815 - Serving reverse zones for private ranges requires manual change in named.conf
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:02:32 ] ::  execute expect file: /tmp/kinit.18068.exp

set timeout 30
set force_conservative 0 
set send_slow {1 .001} 
spawn /usr/bin/kinit -V admin
expect Password for *
send -s -- Secret123\r
expect eof 
spawn /usr/bin/kinit -V admin
SUsing existing cache: persistent:0:0
Using principal: admin
ecrePassword for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 15:02:33 ] ::  Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
  Zone name: 8.b.d.0.1.0.0.2.ip6.arpa
  Authoritative nameserver: 70master.testrelm.com.
  Administrator e-mail address: hostmaster.8.b.d.0.1.0.0.2.ip6.arpa.
  SOA serial: 1392840155
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-subdomain 8.b.d.0.1.0.0.2.ip6.arpa PTR;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: Add test reverse zone (Expected 0, got 0)
  Record name: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
  PTR record: test.example.com.
:: [   PASS   ] :: Adding arbitrary record to the reverse zone (Expected 0, got 0)
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 86400	IN PTR test.example.com.
:: [   PASS   ] :: verify that digging the IP addr has expected PTR record (Expected 0, got 0)
Feb 19 15:02:34 70master named[26911]: zone 8.b.d.0.1.0.0.2.ip6.arpa/IN: loaded serial 1392840154
:: [   PASS   ] :: Make sure this zone in the automatic empty zones is loaded after added to IPA DNS (Expected 0, got 0)
-------------------------------------------
Deleted DNS zone "8.b.d.0.1.0.0.2.ip6.arpa"
-------------------------------------------
:: [   PASS   ] :: Delete test reverse zone (Expected 0, got 0)
Comment 11 Ludek Smid 2014-06-13 11:25:15 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.