RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 751776 - Skip invalid record in a zone instead of refusing to load entire zone
Summary: Skip invalid record in a zone instead of refusing to load entire zone
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Adam Tkac
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 750947 756082 767486
TreeView+ depends on / blocked
 
Reported: 2011-11-07 14:38 UTC by Martin Kosek
Modified: 2015-05-20 15:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 13:51:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0837 0 normal SHIPPED_LIVE bind-dyndb-ldap bug fix and enhancement update 2012-06-19 20:49:06 UTC

Description Martin Kosek 2011-11-07 14:38:13 UTC 
Description of problem:
When bind-dyndb-ldap detects an invalid record in a LDAP DNS zone (e.g. a LOC record of example.com), it refuses to load the zone and serves neither the zone root records nor any records in the zone.

The consequences of refusing to serve an entire zone in a corporate environment are much worse that refusing to serve just the one record in this situation.

Version-Release number of selected component (if applicable):
bind-dyndb-ldap-0.2.0-7.el6.x86_64

How reproducible:
Install IPA server with DNS support (ipa-server-install --setup-dns), add a new DNS zone, add some records in it and then add an invalid record to the zone. I used invalid KX record where preference field is missing.

Steps to Reproduce:
1. ipa dnszone-add example.com
2. ipa dnsrecord-add example.com foo --a-rec=10.0.0.1
3. Wait few seconds until name server detects a new zone and try resolving foo.example.com
4. Add invalid KX record to zone: ipa dnsrecord-add example.com @ --kx-rec=foo.example.com
5. Wait few seconds until name server detects a zone change and try resolving foo.example.com again

  
Actual results:
foo.example.com is not resolvable any more because bind-dyndb-ldap found an invalid zone record.

Expected results:
bind-dyndb-ldap just prints an error loading KX record to /var/log/messages, ignores the KX record and loads the zone and all records in it.
Comment 1 Adam Tkac 2011-11-24 15:31:41 UTC 
This issue is already fixed in upstream:

http://git.fedorahosted.org/git?p=bind-dyndb-ldap.git;a=commit;h=32212551eb62dd9d1886fc63d7d813b9bcfc5bf9
Comment 5 Gowrishankar Rajaiyan 2012-03-07 19:50:28 UTC 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-dns-160: Bug 751776 - Skip invalid record in a zone instead of refusing to load entire zone
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

  Zone name: example.com
  Authoritative nameserver: qe-blade-08.testrelm.com.
  Administrator e-mail address: admin.example.com.
  SOA serial: 2012070301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: Running 'ipa dnszone-add example.com --name-server=qe-blade-08.testrelm.com --admin-email=admin'
  Record name: foo
  A record: 10.0.0.1
:: [   PASS   ] :: Running 'ipa dnsrecord-add example.com foo --a-rec=10.0.0.1'
10.0.0.1
:: [   PASS   ] :: Running 'dig +short -t A foo.example.com | grep 10.0.0.1'
  Record name: example.com
  KX record: 1 foo.example.com
  NS record: qe-blade-08.testrelm.com.
:: [   PASS   ] :: Running 'ipa dnsrecord-add example.com @ --kx-rec="1 foo.example.com"'
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: qe-blade-08.testrelm.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsSOArefresh: 3600
idnsSOAserial: 2012070301
idnsName: example.com
idnsAllowDynUpdate: FALSE
idnsSOAmName: qe-blade-08.testrelm.com.
idnsSOArName: admin.example.com.
idnsAllowQuery: any;
kXRecord: 1 foo.example.com

dn: idnsname=foo,idnsname=example.com,cn=dns,dc=testrelm,dc=com
objectClass: top
objectClass: idnsrecord
aRecord: 10.0.0.1
idnsName: foo

:: [   PASS   ] :: Running 'ldapsearch -LLL -h localhost -Y GSSAPI -b idnsname=example.com,cn=dns,dc=testrelm,dc=com'
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
modifying entry "idnsname=example.com,cn=dns,dc=testrelm,dc=com"

SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: qe-blade-08.testrelm.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsSOArefresh: 3600
idnsSOAserial: 2012070301
idnsName: example.com
idnsAllowDynUpdate: FALSE
idnsSOAmName: qe-blade-08.testrelm.com.
idnsSOArName: admin.example.com.
idnsAllowQuery: any;
kXRecord: foo.example.com

dn: idnsname=foo,idnsname=example.com,cn=dns,dc=testrelm,dc=com
objectClass: top
objectClass: idnsrecord
aRecord: 10.0.0.1
idnsName: foo

:: [   PASS   ] :: Running 'ldapsearch -LLL -h localhost -Y GSSAPI -b idnsname=example.com,cn=dns,dc=testrelm,dc=com'
10.0.0.1
:: [   PASS   ] :: Running 'dig +short -t A foo.example.com | grep 10.0.0.1'
Stopping named: .[  OK  ]
Starting named: [  OK  ]
:: [   PASS   ] :: Running 'service named restart'
10.0.0.1
:: [   PASS   ] :: Running 'dig +short -t A foo.example.com | grep 10.0.0.1'
:: [08:30:04] ::  verifies https://bugzilla.redhat.com/show_bug.cgi?id=751776
:: [   PASS   ] :: Running 'ipa dnszone-del example.com'
Stopping named: .[  OK  ]
Starting named: [  OK  ]
:: [   PASS   ] :: Running 'service named restart'
'76698dc4-6de2-46fa-9c95-abc082d56a7e'
ipa-dns-160 result: PASS


Verified: ipa-server-2.2.0-3.el6.x86_64
Comment 7 errata-xmlrpc 2012-06-20 13:51:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0837.html
Note You need to log in before you can comment on or make changes to this bug.