RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1215164 - Bind indicates an error on a proper SPF record
Summary: Bind indicates an error on a proper SPF record
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomáš Hozza
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-24 13:22 UTC by Julian Brown
Modified: 2015-11-19 08:06 UTC (History)
4 users (show)

Fixed In Version: bind-9.9.4-23.el7
Doc Type: Bug Fix
Doc Text:
Cause: The version of BIND included in RHEL-7 contained check for SPF records in zone files that were not conforming to RFC 7208, section 3.1. Consequence: As a consequence, if the zone file contained SPF records, BIND server or utility named-checkzone could issue a warning log message even though the SPF record was valid based on RFC 7208, section 3.1. Fix: The check for SPF records in zone files was updated to conform to RFC 7208, section 3.1. Result: As a result, if the zone file contains SPF records, BIND server or utility named-checkzone will no longer issue a warning log message if the SPF record is valid based on RFC 7208, section 3.1.
Clone Of:
Environment:
Last Closed: 2015-11-19 08:06:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch for the issue (4.17 KB, patch)
2015-05-28 12:13 UTC, Tomáš Hozza 		no flags Details | Diff
Patch for the issue (8.79 KB, patch)
2015-05-28 13:42 UTC, Tomáš Hozza 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2222 0 normal SHIPPED_LIVE bind bug fix update 2015-11-19 08:39:03 UTC

Description Julian Brown 2015-04-24 13:22:05 UTC 
Description of problem:

According to RFC 7208, section 3.1 SPF records need to be TXT records and not RR SPF records as previously recommended.  When checking the syntax of a TXT RR SPF record an error message is displayed saying it should use RR SPF.

Version-Release number of selected component (if applicable):

EL/CentOS 7.1 Bind 9.9.4

How reproducible:

Using this zone file /var/named/cptest2.tld.db
----------------------------------------------
[root@fe80::f816:3eff:fefb:49bd%eth0 172.16.0.86 named]# cat cptest2.tld.db
; cPanel first:11.49.9999.115 (update_time):1429809767 11.49.9999.115: Cpanel::ZoneFile::VERSION:1.3 hostname:i-00002f3f.cpanel.nova latest:11.49.9999.115
; Zone file for cptest2.tld
$TTL 14400
@      86400    IN      SOA     ns1.cpanel.nova. julian.brown.cpanel.net. (
                2015042303      ; serial, todays date+todays
                86400           ; refresh, seconds
                7200            ; retry, seconds
                3600000         ; expire, seconds
                86400 )         ; minimum, seconds

cptest2.tld. 86400 IN NS ns1.cpanel.nova.
cptest2.tld. 86400 IN NS ns2.cpanel.nova.


cptest2.tld. IN A 10.6.27.120

cptest2.tld. IN MX 0 cptest2.tld.

mail IN CNAME cptest2.tld.
www IN CNAME cptest2.tld.
ftp IN A 10.6.27.120

cptest2.tld. IN TXT "v=spf1 +a +mx +ip4:10.6.27.120 ~all"
cpanel IN A 10.6.27.120
webdisk IN A 10.6.27.120
cpcalendars IN A 10.6.27.120
cpcontacts IN A 10.6.27.120
whm IN A 10.6.27.120
webmail IN A 10.6.27.120
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAna8Du0cGijhRQWLN1Eb0jqJZbggaSqmyyM2EEua3U8J9YWJ9nNMS08lSHGyQSpVPh8g/uJaHa1cMkXla5ZGGra5GhY+WbAd9m6W45ztcMnXMTBbmMtMu24LgdXWNj0Lkotl4ewCEn9UioQFxpIbNnn6qrhKMajsfygb5/Zzq1rF2NT+FjZRbXtkKGd6tgB03I" bnMlMrmuccNX8U3oVbAk0+hI+Y5eOErYK54iUPvysF9MJJWMV40H7woumNvx73jswA2iK+ZKPOGH9CNXbToqgTbJmRRoMpY0nwjCVsIhaCN9bZxrpF/LaoE/3qeccUAT1tIwEZJIj6ruC8Rx3ydwQIDAQAB\;
----------------------------------------------

Steps to Reproduce:
1. in /var/named
2. type: named-checkzone cptest2.tld cptest2.tld.db

Actual results:
---------------------------
[root@fe80::f816:3eff:fefb:49bd%eth0 172.16.0.86 named]# named-checkzone cptest2.tld cptest2.tld.db
zone cptest2.tld/IN: 'cptest2.tld' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record
zone cptest2.tld/IN: loaded serial 2015042303
OK
---------------------------

Expected results:

Just OK

Additional info:

Probably updating to a newer Bind will correct this.
Comment 2 Tomáš Hozza 2015-05-28 09:33:16 UTC 
(In reply to Julian Brown from comment #0)
> Description of problem:
> 
> According to RFC 7208, section 3.1 SPF records need to be TXT records and
> not RR SPF records as previously recommended.  When checking the syntax of a
> TXT RR SPF record an error message is displayed saying it should use RR SPF.

Yes, you are right, thank you for the report.
Comment 3 Tomáš Hozza 2015-05-28 12:13:03 UTC 
Created attachment 1031257 [details]
Patch for the issue
Comment 5 Tomáš Hozza 2015-05-28 13:42:26 UTC 
Created attachment 1031305 [details]
Patch for the issue

Added some ARM documentation changes.
Comment 9 Paulo Matos 2015-09-24 14:41:07 UTC 
Hi Tomas,

I saw that you created a path for this issue, but I don´t understand how apply that path.

Please, can you explain how I do?

Regards
Comment 10 Tomáš Hozza 2015-09-25 08:04:27 UTC 
(In reply to Paulo Matos from comment #9)
> Hi Tomas,
> 
> I saw that you created a path for this issue, but I don´t understand how
> apply that path.
> 
> Please, can you explain how I do?
> 
> Regards

I responded to your email.
Comment 12 errata-xmlrpc 2015-11-19 08:06:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2222.html
Note You need to log in before you can comment on or make changes to this bug.