RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 733371 - DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled
Summary: DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Adam Tkac
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 667729 701677 756082 767486
TreeView+ depends on / blocked
 
Reported: 2011-08-25 15:08 UTC by Martin Kosek
Modified: 2015-05-20 15:07 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 13:51:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 667729 0 low CLOSED Allow specifying query and transfer policy settings for a zone 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2012:0837 0 normal SHIPPED_LIVE bind-dyndb-ldap bug fix and enhancement update 2012-06-19 20:49:06 UTC

Internal Links: 667729

Description Martin Kosek 2011-08-25 15:08:02 UTC 
Description of problem:
BZ 667729 allowed specifying query and transfer policy settings for a zone. However, this does not work when integrated into FreeIPA. After the FreeIPA DS schema was enhanced with new attributeTypes/objectClasses and a value was added to idnsAllowQuery/idnsAllowTransfer, bind-dyndb-ldap plugin did not load any zone with following error in /var/log/messages:

Aug 25 10:13:15 vm-063 named[31447]: received SIGHUP signal to reload zones
Aug 25 10:13:15 vm-063 named[31447]: loading configuration from '/etc/named.conf'
Aug 25 10:13:15 vm-063 named[31447]: using default UDP/IPv4 port range: [1024, 65535]
Aug 25 10:13:15 vm-063 named[31447]: using default UDP/IPv6 port range: [1024, 65535]

>>> Aug 25 10:13:15 vm-063 named[31447]: no valid zones found

Aug 25 10:13:15 vm-063 named[31447]: none:0: open: /etc/rndc.key: file not found
Aug 25 10:13:15 vm-063 named[31447]: couldn't add command channel 127.0.0.1#953: file not found
Aug 25 10:13:15 vm-063 named[31447]: none:0: open: /etc/rndc.key: file not found
Aug 25 10:13:15 vm-063 named[31447]: couldn't add command channel ::1#953: file not found
Aug 25 10:13:15 vm-063 named[31447]: zone 78.16.10.in-addr.arpa/IN: (master) removed
Aug 25 10:13:15 vm-063 named[31447]: zone example.com/IN: (master) removed
Aug 25 10:13:15 vm-063 named[31447]: zone idm.lab.bos.redhat.com/IN: (master) removed
Aug 25 10:13:15 vm-063 named[31447]: reloading configuration succeeded
Aug 25 10:13:15 vm-063 named[31447]: reloading zones succeeded

If the idnsAllowQuery is cleared and name server is reloaded, zones are resolvable again.

LDAPsearch for relevant LDAP object:

# example.com, dns, idm.lab.bos.redhat.com
dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: vm-063.idm.lab.bos.redhat.com.
idnsSOAserial: 2011250801
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: example.com
idnsSOAmName: vm-063.idm.lab.bos.redhat.com.
idnsSOArName: root.example.com.
idnsAllowDynUpdate: FALSE
idnsAllowQuery: 127.0.0.1

Relevant attributes from enhanced FreeIPA DS cn=schema:
attributeTypes: ( 2.16.840.1.113730.3.8.5.11 NAME 'idnsAllowQuery' DESC 'BIND9
  allow-query ACL element' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466
 .115.121.1.26 X-ORIGIN ( 'IPA v2 - bind-dyndb-ldap schema' 'user defined' ) )
attributeTypes: ( 2.16.840.1.113730.3.8.5.12 NAME 'idnsAllowTransfer' DESC 'BI
 ND9 allow-transfer ACL element' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.26 X-ORIGIN ( 'IPA v2 - bind-dyndb-ldap schema' 'user define
 d' ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' S
 UP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName 
 $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAmini
 mum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer ) X-ORIGIN 
 'IPA v2 - bind-dyndb-ldap schema' )


Version-Release number of selected component (if applicable):
bind-dyndb-ldap-0.2.0-3.el6.x86_64

How reproducible:


Steps to Reproduce:
1. Install FreeIPA with the enhancement from build I will provide
2. Configure FreeIPA ipa-server-install --setup-dns which will configured FreeIPA with DNS support
3. Add new zone with "ipa dnszone-add example.com"
4. Fill idnsAllowQuery attribute with "ipa dnszone-mod --allow-query=127.0.0.1
5. Reload name server with "service named reload"
6. Check that example.com is resolvable

Actual results:
Zones are not loaded (see /var/log/messages), no zone defined by FreeIPA is resolvable

Expected results:
Every zone is resolvable, zone example.com is resolvable from localhost only

Additional info:
Comment 5 Dmitri Pal 2011-12-11 19:03:27 UTC 
*** Bug 766233 has been marked as a duplicate of this bug. ***
Comment 8 Martin Kosek 2012-03-06 13:19:26 UTC 
During the implementation of this feature we also found that the bind-dyndb-ldap plugin does not accept loopback address in allow-query or allow-transfer ACL. Therefore, IPA server framework rejects loopback addresses and "ipa dnszone-mod --allow-query=127.0.0.1" will return a validation error.

To verify this bug, please test with non-loopback addresses (like 10.0.0.1) and test the the ACL works correctly, i.e. when allow-query is set to for example "10.0.0.1;none;" it is really resolvable only from machine with IP 10.0.0.1, etc.
Comment 9 Adam Tkac 2012-03-08 14:30:47 UTC 
(In reply to comment #8)
> During the implementation of this feature we also found that the
> bind-dyndb-ldap plugin does not accept loopback address in allow-query or
> allow-transfer ACL. Therefore, IPA server framework rejects loopback addresses
> and "ipa dnszone-mod --allow-query=127.0.0.1" will return a validation error.

This should work, I've just tested it with the latest & greatest bind-dyndb-ldap-1.1.0-0.9.b1.fc16 (RHEL 6.3 package is same).

I have zone atkac.brq.redhat.com. which contains following:

[atkac@ipa ~]$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=atkac,dc=brq,dc=redhat,dc=com'
...
# atkac.brq.redhat.com, dns, atkac.brq.redhat.com
dn: idnsname=atkac.brq.redhat.com,cn=dns,dc=atkac,dc=brq,dc=redhat,dc=com
idnsZoneActive: TRUE
...
idnsAllowQuery: 127.0.0.1;
...

and named behaves as expected (i.e. only queries from 127.0.0.1 are allowed).
Comment 10 Jenny Severance 2012-04-24 18:54:21 UTC 
verified ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-dns-171 Bug 733371 - DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: verifies https://bugzilla.redhat.com/show_bug.cgi?id=733371
:: [   PASS   ] :: Running 'ipa dnszone-add example.com --name-server=dhcp-185-247.testrelm.com --admin-email=admin'
:: [   PASS   ] :: Running 'ipa dnsrecord-add example.com foo --a-rec=10.0.1.1'
:: [   PASS   ] :: Running 'ipa dnszone-mod example.com --allow-query=10.16.185.247'
:: [   PASS   ] :: Running 'service named reload'
:: [   PASS   ] :: Running 'dig +short -t A foo.example.com | grep 10.0.1.1'
:: [   PASS   ] :: Running 'ipa dnszone-mod example.com --allow-query=10.0.1.1'
:: [   PASS   ] :: Running 'service named reload'
:: [   PASS   ] :: Running 'nslookup foo.example.com | grep "server can't find foo.example.com"'
:: [   PASS   ] :: Running 'ipa dnszone-del example.com'
:: [   LOG    ] :: Duration: 27s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-dns-171 Bug 733371 - DNS zones are not loaded when idnsAllowQuery/idnsAllowTransfer is filled


version ::

ipa-server-2.2.0-11.el6.x86_64
Comment 12 errata-xmlrpc 2012-06-20 13:51:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0837.html
Note You need to log in before you can comment on or make changes to this bug.