163525 – AD DNS records break named startup zone check

Bug 163525 - AD DNS records break named startup zone check

Summary: AD DNS records break named startup zone check

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bind
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jason Vas Dias
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-18 16:05 UTC by James J. Moore
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-07-18 17:18:39 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description James J. Moore 2005-07-18 16:05:04 UTC

Description of problem: 
 
   The 'named' daemon fails to start when MS AD records of the form 
'gc._msdcs.mydomain.com' have been added to a master forward zone file.  
During the run of the initscript, named-checkconf returns a non-zero error 
code when checking forward zones having MS Active Directory gc._msdcs 'A' 
records.  The named initscript does not give one the choice of passing up this 
name check, even if 'check-names ignore' is set in the named.conf file.  As a 
result, the initscript bails before attempting to start named.  
 
Version-Release number of selected component (if applicable): 
 
bind-9.3.1-6.FC4 
 
How reproducible: 
 
Always 
 
Steps to Reproduce: 
1.  Allow MS AD Domain Controller to add dynamic DNS records to zonefile 
mastered by BIND. 
2.  Restart BIND on the primary DNS server for that zone: /sbin/service named 
restart 
   
Actual results: 
 
Starting named: 
Error in named configuration: 
zone 0.0.127.in-addr.arpa/IN: loaded serial 2 
data/db.thebank:96: gc._msdcs.thebank.com: bad owner name (check-names) 
data/db.thebank:97: gc._msdcs.thebank.com: bad owner name (check-names) 
data/db.thebank:98: gc._msdcs.thebank.com: bad owner name (check-names) 
data/db.thebank:99: gc._msdcs.thebank.com: bad owner name (check-names) 
zone thebank.com/IN: loaded serial 19564 
data/db.ciassociates:27: gc._msdcs.ciassociates.com: bad owner name 
(check-names) 
zone ciassociates.com/IN: loaded serial 160 
zone thebanks.com/IN: loaded serial 4 
data/db.cnbpost:27: gc._msdcs.cnbpost.com: bad owner name (check-names) 
zone cnbpost.com/IN: loaded serial 23 
[ snipped ] 
                                                           [FAILED] 
 
 
Expected results: 
 
   BIND starts normally 
 
Additional info:

Comment 1 James J. Moore 2005-07-18 16:08:41 UTC

Never mind this one!  Turns out that an unrelated permissions error was really 
causing the server to crash.  Once that was eliminated, it started up fine.

Comment 2 Jason Vas Dias 2005-07-18 17:18:39 UTC

Yes, to support DDNS updateable zones, you need to either locate the zone
files in the 'slaves/' subdirectory, or 
  # chown named:named $ROOTDIR/var/named; chmod g+w $ROOTDIR/var/named
and, if SELinux is enabled in Enforcing mode:
  # setsebool named_write_master_zones 1
(see man named_selinux) .

The errors messages you see above are from the bind-9.3.1 "check-names" code -
perhaps because the files were not correctly updated because of the permissions
problem ? 
But bind-9.3.1 has new behaviour with name checking, that you can configure with
the named.conf 'options{... check-names ... }' option:
  check-names ( master | slave | response )( warn | fail | ignore ); ]
(see the BIND9 Administrators Reference Manual:
(file:///usr/share/doc/bind-9.3.1/arm/Bv9ARM.html).

Note You need to log in before you can comment on or make changes to this bug.