Hide Forgot
Description of problem: BZ 667729 allowed specifying query and transfer policy settings for a zone. However, this does not work when integrated into FreeIPA. After the FreeIPA DS schema was enhanced with new attributeTypes/objectClasses and a value was added to idnsAllowQuery/idnsAllowTransfer, bind-dyndb-ldap plugin did not load any zone with following error in /var/log/messages: Aug 25 10:13:15 vm-063 named[31447]: received SIGHUP signal to reload zones Aug 25 10:13:15 vm-063 named[31447]: loading configuration from '/etc/named.conf' Aug 25 10:13:15 vm-063 named[31447]: using default UDP/IPv4 port range: [1024, 65535] Aug 25 10:13:15 vm-063 named[31447]: using default UDP/IPv6 port range: [1024, 65535] >>> Aug 25 10:13:15 vm-063 named[31447]: no valid zones found Aug 25 10:13:15 vm-063 named[31447]: none:0: open: /etc/rndc.key: file not found Aug 25 10:13:15 vm-063 named[31447]: couldn't add command channel 127.0.0.1#953: file not found Aug 25 10:13:15 vm-063 named[31447]: none:0: open: /etc/rndc.key: file not found Aug 25 10:13:15 vm-063 named[31447]: couldn't add command channel ::1#953: file not found Aug 25 10:13:15 vm-063 named[31447]: zone 78.16.10.in-addr.arpa/IN: (master) removed Aug 25 10:13:15 vm-063 named[31447]: zone example.com/IN: (master) removed Aug 25 10:13:15 vm-063 named[31447]: zone idm.lab.bos.redhat.com/IN: (master) removed Aug 25 10:13:15 vm-063 named[31447]: reloading configuration succeeded Aug 25 10:13:15 vm-063 named[31447]: reloading zones succeeded If the idnsAllowQuery is cleared and name server is reloaded, zones are resolvable again. LDAPsearch for relevant LDAP object: # example.com, dns, idm.lab.bos.redhat.com dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: vm-063.idm.lab.bos.redhat.com. idnsSOAserial: 2011250801 idnsSOAretry: 900 idnsSOAminimum: 3600 idnsSOArefresh: 3600 objectClass: top objectClass: idnsrecord objectClass: idnszone idnsName: example.com idnsSOAmName: vm-063.idm.lab.bos.redhat.com. idnsSOArName: root.example.com. idnsAllowDynUpdate: FALSE idnsAllowQuery: 127.0.0.1 Relevant attributes from enhanced FreeIPA DS cn=schema: attributeTypes: ( 2.16.840.1.113730.3.8.5.11 NAME 'idnsAllowQuery' DESC 'BIND9 allow-query ACL element' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466 .115.121.1.26 X-ORIGIN ( 'IPA v2 - bind-dyndb-ldap schema' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.12 NAME 'idnsAllowTransfer' DESC 'BI ND9 allow-transfer ACL element' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4. 1.1466.115.121.1.26 X-ORIGIN ( 'IPA v2 - bind-dyndb-ldap schema' 'user define d' ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' S UP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAmini mum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer ) X-ORIGIN 'IPA v2 - bind-dyndb-ldap schema' ) Version-Release number of selected component (if applicable): bind-dyndb-ldap-0.2.0-3.el6.x86_64 How reproducible: Steps to Reproduce: 1. Install FreeIPA with the enhancement from build I will provide 2. Configure FreeIPA ipa-server-install --setup-dns which will configured FreeIPA with DNS support 3. Add new zone with "ipa dnszone-add example.com" 4. Fill idnsAllowQuery attribute with "ipa dnszone-mod --allow-query=127.0.0.1 5. Reload name server with "service named reload" 6. Check that example.com is resolvable Actual results: Zones are not loaded (see /var/log/messages), no zone defined by FreeIPA is resolvable Expected results: Every zone is resolvable, zone example.com is resolvable from localhost only Additional info:
*** Bug 766233 has been marked as a duplicate of this bug. ***
During the implementation of this feature we also found that the bind-dyndb-ldap plugin does not accept loopback address in allow-query or allow-transfer ACL. Therefore, IPA server framework rejects loopback addresses and "ipa dnszone-mod --allow-query=127.0.0.1" will return a validation error. To verify this bug, please test with non-loopback addresses (like 10.0.0.1) and test the the ACL works correctly, i.e. when allow-query is set to for example "10.0.0.1;none;" it is really resolvable only from machine with IP 10.0.0.1, etc.
(In reply to comment #8) > During the implementation of this feature we also found that the > bind-dyndb-ldap plugin does not accept loopback address in allow-query or > allow-transfer ACL. Therefore, IPA server framework rejects loopback addresses > and "ipa dnszone-mod --allow-query=127.0.0.1" will return a validation error. This should work, I've just tested it with the latest & greatest bind-dyndb-ldap-1.1.0-0.9.b1.fc16 (RHEL 6.3 package is same). I have zone atkac.brq.redhat.com. which contains following: [atkac@ipa ~]$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=atkac,dc=brq,dc=redhat,dc=com' ... # atkac.brq.redhat.com, dns, atkac.brq.redhat.com dn: idnsname=atkac.brq.redhat.com,cn=dns,dc=atkac,dc=brq,dc=redhat,dc=com idnsZoneActive: TRUE ... idnsAllowQuery: 127.0.0.1; ... and named behaves as expected (i.e. only queries from 127.0.0.1 are allowed).
verified :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-dns-171 Bug 733371 - DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: verifies https://bugzilla.redhat.com/show_bug.cgi?id=733371 :: [ PASS ] :: Running 'ipa dnszone-add example.com --name-server=dhcp-185-247.testrelm.com --admin-email=admin@example.com' :: [ PASS ] :: Running 'ipa dnsrecord-add example.com foo --a-rec=10.0.1.1' :: [ PASS ] :: Running 'ipa dnszone-mod example.com --allow-query=10.16.185.247' :: [ PASS ] :: Running 'service named reload' :: [ PASS ] :: Running 'dig +short -t A foo.example.com | grep 10.0.1.1' :: [ PASS ] :: Running 'ipa dnszone-mod example.com --allow-query=10.0.1.1' :: [ PASS ] :: Running 'service named reload' :: [ PASS ] :: Running 'nslookup foo.example.com | grep "server can't find foo.example.com"' :: [ PASS ] :: Running 'ipa dnszone-del example.com' :: [ LOG ] :: Duration: 27s :: [ LOG ] :: Assertions: 9 good, 0 bad :: [ PASS ] :: RESULT: ipa-dns-171 Bug 733371 - DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled version :: ipa-server-2.2.0-11.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0837.html