ISC BIND before releases 9.11.4-P2 and 9.12.2-P2 does not properly document the behaviour of the krb5-subdomain and ms-subdomain update policies. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were.
The krb5-subdomain and ms-subdomain update policy rule types permit updates from any client authenticated with a valid Kerberos or Windows machine principal from the REALM specified in the identity field, to modify records in the zone at or below the name specified in the name field. The incorrect documentation, however, indicated that the policy would be restricted to names at or below the machine's name as encoded in the Windows or Kebreros principal.
Created bind tracking bugs for this issue:
Affects: fedora-all [bug 1631132]
Created bind99 tracking bugs for this issue:
Affects: fedora-all [bug 1631133]
More details about what was reported upstream can be found in the following Debian bug report:
There, reporter explains that the behavior of the krb5-subdomain and ms-subdomain update policies did not work as documented, and why they believed the problem to be in implementation rather than documentation. It's noted that what upstream considers to be the intended behavior of krb5-subdomain can already be implemented via subdomain, and that the principal processing done for krb5-subdomain suggests different intention, as that processing is not needed to implement the behavior upstream considers as intended.
The upstream advisory:
provides information why upstream believes the problem to only be a documentation bug, including the concerns regarding changing behavior in stable releases. Their decision was to not change behavior, update documentation to match the behavior, and add new policies krb5-selfsub and ms-selfsub implementing the previously documented behavior.
Upstream notes that the affected update policies were implemented some time before they got documented in the BIND 9 Administrator Reference Manual (BIND 9 ARM). The documentation was added as part of upstream change 3112:
According to the upstream CHANGES file, this change was first included in versions 9.7.4rc1, 9.8.1b1, and 9.9.0a1.
Documentation update changing the description of the policy behavior was applied upstream as change 5022:
These changes were included in upstream versions 9.11.4-P2, 9.12.2-P2, and 9.13.3.
This is how the documentation was changed:
This rule takes a Windows machine principal (machine$@REALM) for machine
in REALM and converts it to machine.realm allowing the machine to update
subdomains of machine.realm. The REALM to be matched is specified in the
This rule takes a Kerberos machine principal (host/machine@REALM) for
machine in REALM and converts it to machine.realm allowing the machine to
update subdomains of machine.realm. The REALM to be matched is specified
in the identity field. The name field should be set to "."
When a client sends an UPDATE using a Windows machine principal (for
example, 'machine$@REALM'), this rule allows any machine in the
specified realm to update any record in the zone or in a specified
subdomain of the zone.
The realm to be matched is specified in the identity field.
The name field specifies the subdomain that may be updated. If set to
"." (or any other name at or above the zone apex), any name in the zone
can be updated.
For example, if update-policy for the zone "example.com" includes grant
EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA, any machine with a
valid principal in the realm EXAMPLE.COM will be able to update address
records at or below "hosts.example.com".
This rule is identical to ms-subdomain, except that it works with
Kerberos machine principals (i.e., 'host/machine@REALM') rather than
Windows machine principals.
Upstream notes that the new policies krb5-selfsub and ms-selfsub are expected to to included in future versions 9.11.5 and 9.12.3. Relevant upstream change id is 5032 and the upstream issue and merge requests are:
The affected functionality is available in bind packages in Red Hat Enterprise Linux 5 and later (in case of the bind package in Red Hat Enterprise Linux 5, it's only usable as of Red Hat Enterprise Linux 5.3, see bug 457932). However, the problematic documentation is only included in bind packages in Red Hat Enterprise Linux 6 and 7, there's no documentation for the functionality in bind and bind97 packages in Red Hat Enterprise Linux 5.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:2057 https://access.redhat.com/errata/RHSA-2019:2057
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):