Bug 414821 - ACLs broken in bind 9.5.0 a7/b1
ACLs broken in bind 9.5.0 a7/b1
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-06 15:36 EST by Jima
Modified: 2013-04-30 19:37 EDT (History)
1 user (show)

See Also:
Fixed In Version: bind-devel-9.5.0-27.rc1.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-18 07:31:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jima 2007-12-06 15:36:24 EST
Description of problem:
TSIG-authenticated zone transfer is broken.

Version-Release number of selected component (if applicable):
9.5.0-18.a7.fc8
9.5.0-19.b1.fc8 (pulled from CVS and built in mock locally)

How reproducible:
Completely.

Steps to Reproduce:
1. Have pre-existing TSIG key based ACL from F7 or bind-9.5.0-16.a6.fc8
2. Upgrade to 9.5.0-18.a7.fc8 or 9.5.0-19.b1.fc8
  
Actual results:
"transfer of '<domain>/IN' from 192.168.0.1#53: failed while receiving
responses: REFUSED"

Expected results:
"zone <domain>/IN: transferred serial 2007120600: TSIG '<hostname>'"
(as is the case with 9.5.0-16.a6.fc8)

Additional info:
This works with 9.5.0-18.a7.fc8 as the slave, and 9.5.0-16.a6.fc8 the master.

I spent half an hour trying to figure out how I broke my TSIG-authenticated
transfers before it occurred to me that maybe it was a regression. :-)
Comment 1 Adam Tkac 2007-12-11 08:57:09 EST
Could you please check and possibly attach your configuration + log messages?
I'm not able to reproduce this between updated F8 and rawhide machines
(9.5.0-19.b1.fc8 as slave, 9.5.0-19.b1.fc9 as master):

slave:

key evileye-f8 {
        algorithm hmac-md5;
        secret r7pXj0wq4FK0ijnM05TQ5g==;
};

server 10.34.33.90 {
        keys evileye-f8;
};

zone "atkac.englab.brq.redhat.com" IN {
        type slave;
        file "slaves/atkac";
        allow-update { key evileye-f8; };
        masters { 10.34.33.90; };
};

master:
key evileye-f8 {
        algorithm hmac-md5;
        secret r7pXj0wq4FK0ijnM05TQ5g==;
};

server 10.34.33.80 {
        keys evileye-f8;
};

zone "atkac.englab.brq.redhat.com" IN {
        type master;
        file "atkac.englab.brq.redhat.com";
        allow-update { none; };
        allow-transfer { key evileye-f8; };
};

Comment 2 Jima 2007-12-11 10:26:59 EST
Wow, that's subtle.

It appears that I'm mistaken, there isn't a bug in the TSIG support.

There does, however, appear to be a bug in the ACL support. :-)

Try exporting the 'key evileye-f8;' to an ACL, and using the ACL in its place.

I tried this with 9.5.0-19.b1.fc8 from F8 updates-testing.  Referring directly
to a key in allow-transfer (as you did) was successful; abstracting it via an
ACL (which worked fine before) failed.  I've also verified that the ACL is
defined, as using a nonexistent ACL is evidently a fatal error.

I apologize for missing that in the first place.  I would have much sooner
expected TSIG to break than ACLs.

Thanks for your time, Adam!

(As a side note, didn't you get "option 'allow-update' is not allowed in 'slave'
zone 'atkac.englab.brq.redhat.com'"?  That option shouldn't be legal in that
context.)
Comment 3 Adam Tkac 2007-12-12 06:18:21 EST
(In reply to comment #2)

> I apologize for missing that in the first place.  I would have much sooner
> expected TSIG to break than ACLs.

Yes, BIND is sometimes unpredictable :)

> (As a side note, didn't you get "option 'allow-update' is not allowed in 'slave'
> zone 'atkac.englab.brq.redhat.com'"?  That option shouldn't be legal in that
> context.)

You're right that this should not work. I've did simple copy & paste between
master and slave so I forgot remove that statement from slave zone. I've
reported both issues to upstream.
Comment 4 Jima 2007-12-12 13:04:56 EST
(In reply to comment #3)
> Yes, BIND is sometimes unpredictable :)

 As is a lot of software.

> You're right that this should not work. I've did simple copy & paste between
> master and slave so I forgot remove that statement from slave zone. I've
> reported both issues to upstream.

 The latter is a non-fatal error (or a warning, rather).  I just happened to
notice it when I was reproducing your test case.

 I'm changing the summary on this bug to reflect what the actual problem was. 
Thanks for your help!
Comment 5 Adam Tkac 2008-06-18 07:31:21 EDT
I retested problem with 9.5.0-27.rc1.fc8 (current F8 stable) and it works. It
seems that problem was fixed somewhere between 9.5.0b1 and 9.5.0b2 releases. Closing

Note You need to log in before you can comment on or make changes to this bug.