Bug 1215164 - Bind indicates an error on a proper SPF record
Summary: Bind indicates an error on a proper SPF record
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomáš Hozza
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-24 13:22 UTC by Julian Brown
Modified: 2015-11-19 08:06 UTC (History)
4 users (show)

Fixed In Version: bind-9.9.4-23.el7
Doc Type: Bug Fix
Doc Text:
Cause: The version of BIND included in RHEL-7 contained check for SPF records in zone files that were not conforming to RFC 7208, section 3.1. Consequence: As a consequence, if the zone file contained SPF records, BIND server or utility named-checkzone could issue a warning log message even though the SPF record was valid based on RFC 7208, section 3.1. Fix: The check for SPF records in zone files was updated to conform to RFC 7208, section 3.1. Result: As a result, if the zone file contains SPF records, BIND server or utility named-checkzone will no longer issue a warning log message if the SPF record is valid based on RFC 7208, section 3.1.
Clone Of:
Environment:
Last Closed: 2015-11-19 08:06:46 UTC
Target Upstream Version:

Attachments (Terms of Use)
Patch for the issue (4.17 KB, patch)
2015-05-28 12:13 UTC, Tomáš Hozza 		no flags Details | Diff
Patch for the issue (8.79 KB, patch)
2015-05-28 13:42 UTC, Tomáš Hozza 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2222 0 normal SHIPPED_LIVE bind bug fix update 2015-11-19 08:39:03 UTC

Description Julian Brown 2015-04-24 13:22:05 UTC 
Description of problem:

According to RFC 7208, section 3.1 SPF records need to be TXT records and not RR SPF records as previously recommended.  When checking the syntax of a TXT RR SPF record an error message is displayed saying it should use RR SPF.

Version-Release number of selected component (if applicable):

EL/CentOS 7.1 Bind 9.9.4

How reproducible:

Using this zone file /var/named/cptest2.tld.db
----------------------------------------------
[root@fe80::f816:3eff:fefb:49bd%eth0 172.16.0.86 named]# cat cptest2.tld.db
; cPanel first:11.49.9999.115 (update_time):1429809767 11.49.9999.115: Cpanel::ZoneFile::VERSION:1.3 hostname:i-00002f3f.cpanel.nova latest:11.49.9999.115
; Zone file for cptest2.tld
$TTL 14400
@      86400    IN      SOA     ns1.cpanel.nova. julian.brown.cpanel.net. (
                2015042303      ; serial, todays date+todays
                86400           ; refresh, seconds
                7200            ; retry, seconds
                3600000         ; expire, seconds
                86400 )         ; minimum, seconds

cptest2.tld. 86400 IN NS ns1.cpanel.nova.
cptest2.tld. 86400 IN NS ns2.cpanel.nova.


cptest2.tld. IN A 10.6.27.120

cptest2.tld. IN MX 0 cptest2.tld.

mail IN CNAME cptest2.tld.
www IN CNAME cptest2.tld.
ftp IN A 10.6.27.120

cptest2.tld. IN TXT "v=spf1 +a +mx +ip4:10.6.27.120 ~all"
cpanel IN A 10.6.27.120
webdisk IN A 10.6.27.120
cpcalendars IN A 10.6.27.120
cpcontacts IN A 10.6.27.120
whm IN A 10.6.27.120
webmail IN A 10.6.27.120
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAna8Du0cGijhRQWLN1Eb0jqJZbggaSqmyyM2EEua3U8J9YWJ9nNMS08lSHGyQSpVPh8g/uJaHa1cMkXla5ZGGra5GhY+WbAd9m6W45ztcMnXMTBbmMtMu24LgdXWNj0Lkotl4ewCEn9UioQFxpIbNnn6qrhKMajsfygb5/Zzq1rF2NT+FjZRbXtkKGd6tgB03I" bnMlMrmuccNX8U3oVbAk0+hI+Y5eOErYK54iUPvysF9MJJWMV40H7woumNvx73jswA2iK+ZKPOGH9CNXbToqgTbJmRRoMpY0nwjCVsIhaCN9bZxrpF/LaoE/3qeccUAT1tIwEZJIj6ruC8Rx3ydwQIDAQAB\;
----------------------------------------------

Steps to Reproduce:
1. in /var/named
2. type: named-checkzone cptest2.tld cptest2.tld.db

Actual results:
---------------------------
[root@fe80::f816:3eff:fefb:49bd%eth0 172.16.0.86 named]# named-checkzone cptest2.tld cptest2.tld.db
zone cptest2.tld/IN: 'cptest2.tld' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record
zone cptest2.tld/IN: loaded serial 2015042303
OK
---------------------------

Expected results:

Just OK

Additional info:

Probably updating to a newer Bind will correct this.
Comment 2 Tomáš Hozza 2015-05-28 09:33:16 UTC 
(In reply to Julian Brown from comment #0)
> Description of problem:
> 
> According to RFC 7208, section 3.1 SPF records need to be TXT records and
> not RR SPF records as previously recommended.  When checking the syntax of a
> TXT RR SPF record an error message is displayed saying it should use RR SPF.

Yes, you are right, thank you for the report.
Comment 3 Tomáš Hozza 2015-05-28 12:13:03 UTC 
Created attachment 1031257 [details]
Patch for the issue
Comment 5 Tomáš Hozza 2015-05-28 13:42:26 UTC 
Created attachment 1031305 [details]
Patch for the issue

Added some ARM documentation changes.
Comment 9 Paulo Matos 2015-09-24 14:41:07 UTC 
Hi Tomas,

I saw that you created a path for this issue, but I don´t understand how apply that path.

Please, can you explain how I do?

Regards
Comment 10 Tomáš Hozza 2015-09-25 08:04:27 UTC 
(In reply to Paulo Matos from comment #9)
> Hi Tomas,
> 
> I saw that you created a path for this issue, but I don´t understand how
> apply that path.
> 
> Please, can you explain how I do?
> 
> Regards

I responded to your email.
Comment 12 errata-xmlrpc 2015-11-19 08:06:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2222.html
Note You need to log in before you can comment on or make changes to this bug.