Bug 751776 - Skip invalid record in a zone instead of refusing to load entire zone
Summary: Skip invalid record in a zone instead of refusing to load entire zone
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Adam Tkac
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 750947 756082 767486
TreeView+ depends on / blocked
 
Reported: 2011-11-07 14:38 UTC by Martin Kosek
Modified: 2015-05-20 15:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 13:51:37 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0837 normal SHIPPED_LIVE bind-dyndb-ldap bug fix and enhancement update 2012-06-19 20:49:06 UTC

Description Martin Kosek 2011-11-07 14:38:13 UTC
Description of problem:
When bind-dyndb-ldap detects an invalid record in a LDAP DNS zone (e.g. a LOC record of example.com), it refuses to load the zone and serves neither the zone root records nor any records in the zone.

The consequences of refusing to serve an entire zone in a corporate environment are much worse that refusing to serve just the one record in this situation.

Version-Release number of selected component (if applicable):
bind-dyndb-ldap-0.2.0-7.el6.x86_64

How reproducible:
Install IPA server with DNS support (ipa-server-install --setup-dns), add a new DNS zone, add some records in it and then add an invalid record to the zone. I used invalid KX record where preference field is missing.

Steps to Reproduce:
1. ipa dnszone-add example.com
2. ipa dnsrecord-add example.com foo --a-rec=10.0.0.1
3. Wait few seconds until name server detects a new zone and try resolving foo.example.com
4. Add invalid KX record to zone: ipa dnsrecord-add example.com @ --kx-rec=foo.example.com
5. Wait few seconds until name server detects a zone change and try resolving foo.example.com again

  
Actual results:
foo.example.com is not resolvable any more because bind-dyndb-ldap found an invalid zone record.

Expected results:
bind-dyndb-ldap just prints an error loading KX record to /var/log/messages, ignores the KX record and loads the zone and all records in it.

Comment 1 Adam Tkac 2011-11-24 15:31:41 UTC
This issue is already fixed in upstream:

http://git.fedorahosted.org/git?p=bind-dyndb-ldap.git;a=commit;h=32212551eb62dd9d1886fc63d7d813b9bcfc5bf9

Comment 5 Gowrishankar Rajaiyan 2012-03-07 19:50:28 UTC
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-dns-160: Bug 751776 - Skip invalid record in a zone instead of refusing to load entire zone
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

  Zone name: example.com
  Authoritative nameserver: qe-blade-08.testrelm.com.
  Administrator e-mail address: admin.example.com.
  SOA serial: 2012070301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: Running 'ipa dnszone-add example.com --name-server=qe-blade-08.testrelm.com --admin-email=admin@example.com'
  Record name: foo
  A record: 10.0.0.1
:: [   PASS   ] :: Running 'ipa dnsrecord-add example.com foo --a-rec=10.0.0.1'
10.0.0.1
:: [   PASS   ] :: Running 'dig +short -t A foo.example.com | grep 10.0.0.1'
  Record name: example.com
  KX record: 1 foo.example.com
  NS record: qe-blade-08.testrelm.com.
:: [   PASS   ] :: Running 'ipa dnsrecord-add example.com @ --kx-rec="1 foo.example.com"'
SASL/GSSAPI authentication started
SASL username: admin@TESTRELM.COM
SASL SSF: 56
SASL data security layer installed.
dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: qe-blade-08.testrelm.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsSOArefresh: 3600
idnsSOAserial: 2012070301
idnsName: example.com
idnsAllowDynUpdate: FALSE
idnsSOAmName: qe-blade-08.testrelm.com.
idnsSOArName: admin.example.com.
idnsAllowQuery: any;
kXRecord: 1 foo.example.com

dn: idnsname=foo,idnsname=example.com,cn=dns,dc=testrelm,dc=com
objectClass: top
objectClass: idnsrecord
aRecord: 10.0.0.1
idnsName: foo

:: [   PASS   ] :: Running 'ldapsearch -LLL -h localhost -Y GSSAPI -b idnsname=example.com,cn=dns,dc=testrelm,dc=com'
SASL/GSSAPI authentication started
SASL username: admin@TESTRELM.COM
SASL SSF: 56
SASL data security layer installed.
modifying entry "idnsname=example.com,cn=dns,dc=testrelm,dc=com"

SASL/GSSAPI authentication started
SASL username: admin@TESTRELM.COM
SASL SSF: 56
SASL data security layer installed.
dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: qe-blade-08.testrelm.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsSOArefresh: 3600
idnsSOAserial: 2012070301
idnsName: example.com
idnsAllowDynUpdate: FALSE
idnsSOAmName: qe-blade-08.testrelm.com.
idnsSOArName: admin.example.com.
idnsAllowQuery: any;
kXRecord: foo.example.com

dn: idnsname=foo,idnsname=example.com,cn=dns,dc=testrelm,dc=com
objectClass: top
objectClass: idnsrecord
aRecord: 10.0.0.1
idnsName: foo

:: [   PASS   ] :: Running 'ldapsearch -LLL -h localhost -Y GSSAPI -b idnsname=example.com,cn=dns,dc=testrelm,dc=com'
10.0.0.1
:: [   PASS   ] :: Running 'dig +short -t A foo.example.com | grep 10.0.0.1'
Stopping named: .[  OK  ]
Starting named: [  OK  ]
:: [   PASS   ] :: Running 'service named restart'
10.0.0.1
:: [   PASS   ] :: Running 'dig +short -t A foo.example.com | grep 10.0.0.1'
:: [08:30:04] ::  verifies https://bugzilla.redhat.com/show_bug.cgi?id=751776
:: [   PASS   ] :: Running 'ipa dnszone-del example.com'
Stopping named: .[  OK  ]
Starting named: [  OK  ]
:: [   PASS   ] :: Running 'service named restart'
'76698dc4-6de2-46fa-9c95-abc082d56a7e'
ipa-dns-160 result: PASS


Verified: ipa-server-2.2.0-3.el6.x86_64

Comment 7 errata-xmlrpc 2012-06-20 13:51:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0837.html


Note You need to log in before you can comment on or make changes to this bug.