Bug 392491 - view address match list isn't working properly
Summary: view address match list isn't working properly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Adam Tkac
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-20 14:50 UTC by Jonathan Kamens
Modified: 2013-04-30 23:37 UTC (History)
1 user (show)

Fixed In Version: 9.5.0-20.b1.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-20 15:24:36 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
named configuration file (2.96 KB, text/plain)
2007-11-26 10:27 UTC, Jonathan Kamens
no flags Details
named.run file showing errors at the bottom about no matching view (15.86 KB, text/plain)
2007-11-26 10:28 UTC, Jonathan Kamens
no flags Details

Description Jonathan Kamens 2007-11-20 14:50:18 UTC
With this in one of my views in named.conf:

	match-clients { !192.168.0.0/24; !66.92.74.180; !127.0.0.0/24; any; };

queries from 192.168.3.2 are rejected:

	client 192.168.3.2#1061: no matching view in class 'IN'

If I remove the !192.168.0.0/24; the problem goes away.  I hope it's obvious
that 192.168.3.2 is not in the CIDR block "192.168.0.0/24" :-).  This broke when
I upgraded to bind-9.5.0-17.a7.fc9.

I'm marking this urgent because I imagine that if address match lists aren't
working here, they're probably not working elsewhere as well, and this is a
security issue.

  jik

Comment 1 Adam Tkac 2007-11-20 18:18:55 UTC
I tried to reproduce this issue but I wasn't successful. Could you please attach
configuration files and log?

Thanks, Adam

Comment 2 Jonathan Kamens 2007-11-26 10:27:35 UTC
Created attachment 268751 [details]
named configuration file

Comment 3 Jonathan Kamens 2007-11-26 10:28:01 UTC
Created attachment 268761 [details]
named.run file showing errors at the bottom about no matching view

Comment 4 Adam Tkac 2007-11-28 17:40:38 UTC
Upstream doesn't think this is security issue. They fixed it today in CVS and I
will wait to 9.5.0b1. You should have only any; acl in external view (please see
example on http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#view_statement_grammar)

Thanks for your report

Comment 5 Fedora Update System 2007-12-07 21:30:13 UTC
bind-9.5.0-19.b1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'

Comment 6 Fedora Update System 2007-12-20 19:49:11 UTC
bind-9.5.0-20.b1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.