912743 – Invalid update policy can crash BIND with bind-dyndb-ldap

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 912743 - Invalid update policy can crash BIND with bind-dyndb-ldap

Summary: Invalid update policy can crash BIND with bind-dyndb-ldap

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	bind-dyndb-ldap
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	pre-dev-freeze
Target Release:	7.0
Assignee:	Petr Spacek
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-19 15:01 UTC by Petr Spacek
Modified:	2014-06-13 10:48 UTC (History)
CC List:	3 users (show)
Fixed In Version:	bind-dyndb-ldap-3.5-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:48:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Petr Spacek 2013-02-19 15:01:32 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/108

Version: a7cae08cacad019852067dd7ecf86cefbe35c70e
Discovered at: 2013-02-14T14:47+0100

Define a zone with following update policy:
{{{
grant R.TEST wildcard x*x;
}}}

BIND will crash on zone reload (or immediatelly if persistent search is enabled).

BIND throws an error (i.e. do not crash!) when the update policy is used in /etc/named.conf.
Log message:
{{{
/etc/named.conf:43: 'x*x' is not a wildcard
}}}

Backtrace:
{{{
#0  0x00007ffff57dd8a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff57df085 in abort () at abort.c:92
#2  0x00007ffff7fa8e14 in assertion_failed (file=<value optimized out>, line=<value optimized out>, type=<value optimized out>, cond=<value optimized out>)
    at ./main.c:219
#3  0x00007ffff695d89a in isc_assertion_failed (file=<value optimized out>, line=<value optimized out>, type=<value optimized out>, cond=<value optimized out>)
    at assertions.c:57
#4  0x00007ffff78adfbc in dns_ssutable_addrule (table=0x7ffff23391c8, grant=isc_boolean_true, identity=0x7ffff422fae0, matchtype=2, name=0x7ffff422fcf0, ntypes=0, 
    types=0x0) at ssu.c:174
#5  0x00007ffff20ce45f in acl_configure_zone_ssutable (policy_str=<value optimized out>, zone=0x7fffec2d0ba0) at acl.c:423
#6  0x00007ffff20dabda in ldap_parse_zoneentry (entry=0x7ffff7f2f7b8, inst=0x7ffff2337010) at ldap_helper.c:1292
#7  0x00007ffff20dbc5f in refresh_zones_from_ldap (ldap_inst=0x7ffff2337010, delete_only=<value optimized out>) at ldap_helper.c:1498
#8  0x00007ffff20e1bfe in manager_create_db_instance (mctx=0x7ffff8209250, name=<value optimized out>, argv=0x7ffff7f3bf90, dyndb_args=<value optimized out>)
    at zone_manager.c:182
#9  0x00007ffff20d16ad in dynamic_driver_init (mctx=0x7ffff8209250, name=0x7ffff7f3f1f8 "ipa", argv=0x7ffff7f3bf90, dyndb_args=0x7ffff7f2b510) at ldap_driver.c:1364
#10 0x00007ffff7807de6 in dns_dynamic_db_load (libname=<value optimized out>, name=0x7ffff7f3f1f8 "ipa", mctx=0x7ffff8209250, argv=0x7ffff7f3bf90, 
    dyndb_args=0x7ffff7f2b510) at ./dynamic_db.c:232
#11 0x00007ffff7fc74dc in configure_dynamic_db (view=0x7fffec046e40, config=<value optimized out>, vconfig=<value optimized out>, cachelist=0x7ffff7f3f1f8, 
    bindkeys=0x7ffff7f3f200, mctx=0x7ffff8209250, actx=0x7ffff7f2b070, need_hints=isc_boolean_true) at server.c:1210
#12 configure_view (view=0x7fffec046e40, config=<value optimized out>, vconfig=<value optimized out>, cachelist=0x7ffff7f3f1f8, bindkeys=0x7ffff7f3f200, 
    mctx=0x7ffff8209250, actx=0x7ffff7f2b070, need_hints=isc_boolean_true) at server.c:2784
#13 0x00007ffff7fca7b5 in load_configuration (filename=0x7ffff4232850 "\370\225\365\367\377\177", server=0x7ffff7f36010, first_time=isc_boolean_true) at server.c:4912
#14 0x00007ffff7fcbbb5 in run_server (task=<value optimized out>, event=0x0) at server.c:5381
#15 0x00007ffff697c2f8 in dispatch (uap=0x7ffff7f2d010) at task.c:1012
#16 run (uap=0x7ffff7f2d010) at task.c:1157
#17 0x00007ffff6331851 in start_thread (arg=0x7ffff4233700) at pthread_create.c:301
#18 0x00007ffff589390d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
}}}

Comment 2 Namita Soman 2013-03-13 17:50:19 UTC

Please add steps to verify this

Comment 3 Petr Spacek 2013-03-25 06:17:04 UTC

The step is on top of the description: 
Define a zone with following update policy:
{{{
grant R.TEST wildcard x*x;
}}}

Comment 5 Namita Soman 2014-01-30 20:13:55 UTC

Using bind-dyndb-ldap-3.5-3.el7.x86_64, ipa-server-3.3.3-15.el7.x86_64

Took steps below:
# ipa dnszone-add
Authoritative nameserver: cloud-qe-4.testrelm.com.
Zone name: bz912743Zone
Administrator e-mail address [hostmaster.bz912743zone.]: 
  Zone name: bz912743zone
  Authoritative nameserver: cloud-qe-4.testrelm.com.
  Administrator e-mail address: hostmaster.bz912743zone.
  SOA serial: 1391111690
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;


# ipa dnszone-mod bz912743Zone --update-policy="grant R.TEST wildcard x*x;"
  Zone name: bz912743zone
  Authoritative nameserver: cloud-qe-4.testrelm.com.
  Administrator e-mail address: hostmaster.bz912743zone.
  SOA serial: 1391111692
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant R.TEST wildcard x*x;
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

# ipa dnszone-mod --admin-email=nk bz912743Zone
  Zone name: bz912743zone
  Authoritative nameserver: cloud-qe-4.testrelm.com.
  Administrator e-mail address: nk.testrelm.com.
  SOA serial: 1391111692
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

# ipa dnszone-show bz912743Zone --all
  dn: idnsname=bz912743zone,cn=dns,dc=testrelm,dc=com
  Zone name: bz912743zone
  Authoritative nameserver: cloud-qe-4.testrelm.com.
  Administrator e-mail address: nk.testrelm.com.
  SOA serial: 1391111775
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant R.TEST wildcard x*x;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  nsrecord: cloud-qe-4.testrelm.com.
  objectclass: top, idnsrecord, idnszone

# systemctl restart named


Check /var/log/messages, saw no messages similar to "'x*x' is not a wildcard"

Not sure - if that verifies this bug. 

Petr, any further steps/verifications needed?

Comment 6 Petr Spacek 2014-01-31 08:31:29 UTC

According to https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/commit/?id=33bad9e66f346d40dc3510719898d03ccb79b2f4 you should see message
"invalid update policy: name '%s' is expected to be a wildcard".

Comment 7 Petr Spacek 2014-02-03 16:39:40 UTC

Hmm, I just noticed this line: Dynamic update: FALSE. You have to enable updates - the update policy is not applied if updates are disabled.

Comment 8 Namita Soman 2014-02-04 16:47:28 UTC

yes - that helped - thanks!!

Verified bz taking steps below:

# ipa dnszone-add
Authoritative nameserver: cloud-qe-4.testrelm.com.
Zone name: bz912743Zone
Administrator e-mail address [hostmaster.bz912743zone.]: 
  Zone name: bz912743zone
  Authoritative nameserver: cloud-qe-4.testrelm.com.
  Administrator e-mail address: hostmaster.bz912743zone.
  SOA serial: 1391532088
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;


# ipa dnszone-mod bz912743Zone --dynamic-update=TRUE
  Zone name: bz912743zone
  Authoritative nameserver: cloud-qe-4.testrelm.com.
  Administrator e-mail address: hostmaster.bz912743zone.
  SOA serial: 1391532090
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;


# ipa dnszone-mod bz912743Zone --update-policy="grant R.TEST wildcard x*x;"
  Zone name: bz912743zone
  Authoritative nameserver: cloud-qe-4.testrelm.com.
  Administrator e-mail address: hostmaster.bz912743zone.
  SOA serial: 1391532090
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant R.TEST wildcard x*x;
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

# grep "is expected to be a wildcard" /var/log/messages
Feb  4 11:42:58 cloud-qe-4 named[20178]: zone bz912743zone/IN: invalid update policy: name 'x*x' is expected to be a wildcard

Comment 9 Ludek Smid 2014-06-13 10:48:08 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.