RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 829388 - Zone transfers fail for certain non-FQDNs
Summary: Zone transfers fail for certain non-FQDNs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap
Version: 6.3
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Adam Tkac
QA Contact: Namita Soman
URL:
Whiteboard:
: 885138 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-06 15:12 UTC by Dmitri Pal
Modified: 2018-11-30 19:37 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The bug in bind-dyndb-ldap caused that some relative domain names weren't expanded correctly to FQDNs. Consequence: Zone transfer could contain relative domain names although it should contain only FQDNs (for example contained "name." record instead of "name.example.com.") Fix: The plugin was patched Result: Zone transfers now contain correct domain names.
Clone Of:
Environment:
Last Closed: 2013-02-21 08:58:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0359 0 normal SHIPPED_LIVE bind-dyndb-ldap bug fix and enhancement update 2013-02-20 20:53:11 UTC

Description Dmitri Pal 2012-06-06 15:12:42 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/47

Consider following record in LDAP:

idnsName=cname,idnsName=example.com,dc=example,dc=com cNAMERecord: name

During zone transfer master server sends following record:

cname.example.com. 86400 IN CNAME name.

instead of
cname.example.com. 86400 IN CNAME name
or
cname.example.com. 86400 IN CNAME name.example.com.
Comment 1 RHEL Program Management 2012-07-10 08:51:04 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2012-07-10 23:06:41 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 3 Jenny Severance 2012-07-13 14:30:05 UTC 
please add steps to reproduce and verify with ipa
Comment 4 Petr Spacek 2012-07-16 07:17:50 UTC 
Necessary information is part of bug desciption: https://bugzilla.redhat.com/show_bug.cgi?id=829388#c0

What exactly you want to add?
Comment 6 Michael Gregg 2012-09-05 02:02:52 UTC 
How do you reproduce this? 

Would a LDAP entry specifically need to be added? Can one of these entries be added via ipa tools?

Are multiple servers going to be needed to test this?

The test would be done by running a dig against a second server to a dns name?
Comment 7 Petr Spacek 2012-09-05 07:07:14 UTC 
(In reply to comment #6)
> How do you reproduce this? 
> 
> Would a LDAP entry specifically need to be added? Can one of these entries
> be added via ipa tools?
> 

Bug description contains LDIF snippet with record which triggers the failure.
(dn) idnsName=cname,idnsName=example.com,dc=example,dc=com
(attribute) cNAMERecord: name

You can add similar record with IPA command (zone is "lab.example"):
$ ipa dnsrecord-add lab.example cname-rec --cname-rec=cname-target

> Are multiple servers going to be needed to test this?
No.

> The test would be done by running a dig against a second server to a dns
> name?
You can dig from the same server as IPA master is.
$ dig -t AXFR @127.0.0.1 lab.example

In my case it prints (correct output):
lab.example.		86400	IN	SOA	vm-148.lab.example. hostmaster.lab.example. 1346827541 1 1 1209600 1
lab.example.		86400	IN	NS	vm-148.lab.example.
vm-148.lab.example.	86400	IN	A	192.168.10.148
cname-rec.lab.example.	86400	IN	CNAME	cname-target.lab.example.
lab.example.		86400	IN	SOA	vm-148.lab.example. hostmaster.lab.example. 1346827541 1 1 1209600 1

Don't forget to allow zone transfers from test zone. For test purposes you can use:
$ ipa dnszone-mod lab.example --allow-transfer="any;"
Comment 8 Petr Spacek 2012-09-05 08:44:07 UTC 
Some details are in FreeIPA Fedora test day page: https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer
Comment 11 Namita Soman 2012-11-16 19:56:55 UTC 
Verified using:
ipa-server-3.0.0-8.el6.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Bug 829388 - Zone transfers fail for certain non-FQDNs
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [13:40:27] ::  kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
  Zone name: testrelm.com
  Authoritative nameserver: ipaqavmh.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA serial: 1353091222
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: any;
:: [   PASS   ] :: Enable DNS zone transfers
  Record name: bz829388
  CNAME record: bz829388
:: [   PASS   ] :: Add a dns record to test zone transfers with
bz829388.testrelm.com.	86400	IN	CNAME	bz829388.testrelm.com.
:: [   PASS   ] :: Ensure that bz829388.testrelm.com is in the list of AXFR records as a FQDN BZ 829388
-------------------------
Deleted record "bz829388"
-------------------------
:: [   PASS   ] :: Cleanup added DNS record.
'830c765e-f572-46ba-b30d-66f64f67f990'
Bug-829388-Zone-transfers-fail-for-certain-non-FQDNs result: PASS
   metric: 0
   Log: /tmp/beakerlib-9193278/journal.txt
    Info: Searching AVC errors produced since 1353091225.32 (Fri Nov 16 13:40:25 2012)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.zW6ING
:
   AvcLog: /mnt/testarea/tmp.zW6ING
Comment 12 Petr Spacek 2012-12-07 15:29:45 UTC 
*** Bug 885138 has been marked as a duplicate of this bug. ***
Comment 14 errata-xmlrpc 2013-02-21 08:58:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0359.html
Note You need to log in before you can comment on or make changes to this bug.