Hide Forgot
Description of problem: When bind-dyndb-ldap detects an invalid record in a LDAP DNS zone (e.g. a LOC record of example.com), it refuses to load the zone and serves neither the zone root records nor any records in the zone. The consequences of refusing to serve an entire zone in a corporate environment are much worse that refusing to serve just the one record in this situation. Version-Release number of selected component (if applicable): bind-dyndb-ldap-0.2.0-7.el6.x86_64 How reproducible: Install IPA server with DNS support (ipa-server-install --setup-dns), add a new DNS zone, add some records in it and then add an invalid record to the zone. I used invalid KX record where preference field is missing. Steps to Reproduce: 1. ipa dnszone-add example.com 2. ipa dnsrecord-add example.com foo --a-rec=10.0.0.1 3. Wait few seconds until name server detects a new zone and try resolving foo.example.com 4. Add invalid KX record to zone: ipa dnsrecord-add example.com @ --kx-rec=foo.example.com 5. Wait few seconds until name server detects a zone change and try resolving foo.example.com again Actual results: foo.example.com is not resolvable any more because bind-dyndb-ldap found an invalid zone record. Expected results: bind-dyndb-ldap just prints an error loading KX record to /var/log/messages, ignores the KX record and loads the zone and all records in it.
This issue is already fixed in upstream: http://git.fedorahosted.org/git?p=bind-dyndb-ldap.git;a=commit;h=32212551eb62dd9d1886fc63d7d813b9bcfc5bf9
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-dns-160: Bug 751776 - Skip invalid record in a zone instead of refusing to load entire zone :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Zone name: example.com Authoritative nameserver: qe-blade-08.testrelm.com. Administrator e-mail address: admin.example.com. SOA serial: 2012070301 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; :: [ PASS ] :: Running 'ipa dnszone-add example.com --name-server=qe-blade-08.testrelm.com --admin-email=admin' Record name: foo A record: 10.0.0.1 :: [ PASS ] :: Running 'ipa dnsrecord-add example.com foo --a-rec=10.0.0.1' 10.0.0.1 :: [ PASS ] :: Running 'dig +short -t A foo.example.com | grep 10.0.0.1' Record name: example.com KX record: 1 foo.example.com NS record: qe-blade-08.testrelm.com. :: [ PASS ] :: Running 'ipa dnsrecord-add example.com @ --kx-rec="1 foo.example.com"' SASL/GSSAPI authentication started SASL username: admin SASL SSF: 56 SASL data security layer installed. dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: qe-blade-08.testrelm.com. objectClass: top objectClass: idnsrecord objectClass: idnszone idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOAminimum: 3600 idnsSOArefresh: 3600 idnsSOAserial: 2012070301 idnsName: example.com idnsAllowDynUpdate: FALSE idnsSOAmName: qe-blade-08.testrelm.com. idnsSOArName: admin.example.com. idnsAllowQuery: any; kXRecord: 1 foo.example.com dn: idnsname=foo,idnsname=example.com,cn=dns,dc=testrelm,dc=com objectClass: top objectClass: idnsrecord aRecord: 10.0.0.1 idnsName: foo :: [ PASS ] :: Running 'ldapsearch -LLL -h localhost -Y GSSAPI -b idnsname=example.com,cn=dns,dc=testrelm,dc=com' SASL/GSSAPI authentication started SASL username: admin SASL SSF: 56 SASL data security layer installed. modifying entry "idnsname=example.com,cn=dns,dc=testrelm,dc=com" SASL/GSSAPI authentication started SASL username: admin SASL SSF: 56 SASL data security layer installed. dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: qe-blade-08.testrelm.com. objectClass: top objectClass: idnsrecord objectClass: idnszone idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOAminimum: 3600 idnsSOArefresh: 3600 idnsSOAserial: 2012070301 idnsName: example.com idnsAllowDynUpdate: FALSE idnsSOAmName: qe-blade-08.testrelm.com. idnsSOArName: admin.example.com. idnsAllowQuery: any; kXRecord: foo.example.com dn: idnsname=foo,idnsname=example.com,cn=dns,dc=testrelm,dc=com objectClass: top objectClass: idnsrecord aRecord: 10.0.0.1 idnsName: foo :: [ PASS ] :: Running 'ldapsearch -LLL -h localhost -Y GSSAPI -b idnsname=example.com,cn=dns,dc=testrelm,dc=com' 10.0.0.1 :: [ PASS ] :: Running 'dig +short -t A foo.example.com | grep 10.0.0.1' Stopping named: .[ OK ] Starting named: [ OK ] :: [ PASS ] :: Running 'service named restart' 10.0.0.1 :: [ PASS ] :: Running 'dig +short -t A foo.example.com | grep 10.0.0.1' :: [08:30:04] :: verifies https://bugzilla.redhat.com/show_bug.cgi?id=751776 :: [ PASS ] :: Running 'ipa dnszone-del example.com' Stopping named: .[ OK ] Starting named: [ OK ] :: [ PASS ] :: Running 'service named restart' '76698dc4-6de2-46fa-9c95-abc082d56a7e' ipa-dns-160 result: PASS Verified: ipa-server-2.2.0-3.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0837.html