Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 921167

Summary: update-policy with match type 'zonesub' crashes BIND with bind-dyndb-ldap
Product: Red Hat Enterprise Linux 6 Reporter: Najmuddin Chirammal <nc>
Component: bind-dyndb-ldapAssignee: Petr Spacek <pspacek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: dpal, pspacek, sradvan, yjog
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The bind-dyndb-ldap plug-in processed update policies with match-type 'zonesub' incorrectly. Consequence: The problem led to the BIND daemon terminating unexpectedly during update-policy processing. Fix: The bind-dyndb-ldap plug-in has been fixed to process update-policy with match-type 'zonesub' correctly. Result: The bind-dyndb-ldap plug-in no longer crashes during update-policy processing.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 12:10:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 835616, 883504, 960054    

Comment 3 Petr Spacek 2013-03-13 19:07:32 UTC 
Public description:

User wants to update DNS records from his DHCP server using TSIG keys, the key is added into named.conf file. Once the update-policy in LDAP is updated to use the key from named.conf named fails to start (crashes with an assertion failure).

Version-Release number of selected component (if applicable):
bind-dyndb-ldap-2.3-2.el6.x86_64

How reproducible:
Always.

Steps to Reproduce:
1.Add a key to named.conf.
for eg: 

key selfupdate {
        algorithm hmac-md5;
        secret "05Fu1ACKv1/1Ag==";
};

2. Add the key to IPA managed zone's update-policy.
for eg: 

# ipa dnszone-mod example.com --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; grant selfupdate zonesub A;"

(Only the last grant statement is relevant here, rest are present by default).

3. restart 'named' service.
  
Actual results: named crashes with assertion failure

named[19050]: managed-keys-zone ./IN: loaded serial 0
named[19050]: running
named[19050]: acl.c:234: INSIST(0) failed, back trace
named[19050]: #0 0x7f201cb3beff in ??
named[19050]: #1 0x7f201b4ec89a in ??
named[19050]: #2 0x7f201619d6d8 in ??
named[19050]: #3 0x7f20161a7423 in ??
named[19050]: #4 0x7f20161aa8a5 in ??
named[19050]: #5 0x7f201b50b2f8 in ??
named[19050]: #6 0x7f201aec0851 in ??
named[19050]: #7 0x7f201a42290d in ??
named[19050]: exiting (due to assertion failure)

Expected results: named start without any errors and we should be able to use the key from a client to update the zone entries.

Additional info: stack trace from the core file.

Thread 1 (Thread 0x7f7700519700 (LWP 9768)):
#0  0x00007f7701abb8a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f7701abd085 in abort () at abort.c:92
#2  0x00007f7704283e14 in assertion_failed (file=<value optimized out>, line=<value optimized out>, type=<value optimized out>, cond=<value optimized out>) at ./main.c:219
#3  0x00007f7702c3a89a in isc_assertion_failed (file=<value optimized out>, line=<value optimized out>, type=<value optimized out>, cond=<value optimized out>) at assertions.c:57
#4  0x00007f76fd8f8aa8 in get_match_type (policy_str=<value optimized out>, zone=0x7f76f832beb0) at acl.c:234
#5  acl_configure_zone_ssutable (policy_str=<value optimized out>, zone=0x7f76f832beb0) at acl.c:417
#6  0x00007f76fd901331 in ldap_parse_zoneentry (entry=0x7f77042066a0, inst=0x7f7704226f10) at ldap_helper.c:1022
#7  0x00007f76fd901bcd in refresh_zones_from_ldap (ldap_inst=0x7f7704226f10) at ldap_helper.c:1161
#8  0x00007f76fd906214 in manager_create_db_instance (mctx=0x7f7705eb6250, name=<value optimized out>, argv=<value optimized out>, dyndb_args=<value optimized out>)
    at zone_manager.c:183
#9  0x00007f76fd8fac19 in dynamic_driver_init (mctx=0x7f7705eb6250, name=0x7f77042161f0 "ipa", argv=0x7f77041ff330, dyndb_args=0x7f7704202550) at ldap_driver.c:1329
#10 0x00007f7703ae2de6 in dns_dynamic_db_load (libname=<value optimized out>, name=0x7f77042161f0 "ipa", mctx=0x7f7705eb6250, argv=0x7f77041ff330, dyndb_args=0x7f7704202550)
    at ./dynamic_db.c:232
#11 0x00007f77042a24dc in configure_dynamic_db (view=0x7f76f8111550, config=<value optimized out>, vconfig=<value optimized out>, cachelist=0x7f77042161f0, bindkeys=0x7f77042161f8, 
    mctx=0x7f7705eb6250, actx=0x7f7704202090, need_hints=isc_boolean_true) at server.c:1210
#12 configure_view (view=0x7f76f8111550, config=<value optimized out>, vconfig=<value optimized out>, cachelist=0x7f77042161f0, bindkeys=0x7f77042161f8, mctx=0x7f7705eb6250, 
    actx=0x7f7704202090, need_hints=isc_boolean_true) at server.c:2784
#13 0x00007f77042a57b5 in load_configuration (filename=0x7f7700518850 "\370\005#\004w\177", server=0x7f770420d010, first_time=isc_boolean_true) at server.c:4912
#14 0x00007f77042a6bb5 in run_server (task=<value optimized out>, event=0x0) at server.c:5381
#15 0x00007f7702c592f8 in dispatch (uap=0x7f7704204010) at task.c:1012
#16 run (uap=0x7f7704204010) at task.c:1157
#17 0x00007f770260e851 in start_thread (arg=0x7f7700519700) at pthread_create.c:301
#18 0x00007f7701b7111d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
Comment 4 Petr Spacek 2013-03-13 19:14:49 UTC 
Upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/111
Comment 5 Petr Spacek 2013-03-13 19:30:32 UTC 
Match type 'zonesub' is not handled properly.

Workaround:
Replace 'zonesub' with 'subdomain' match type. E.g. for zone 'example.com' use following update policy:
grant keyname subdomain example.com;

Result:
Update requests signed by key 'keyname' are allowed to change all records in zone 'example.com'.
Comment 6 Petr Spacek 2013-03-25 15:40:38 UTC 
Fixed in upstream by commit 55b623b947b8bef1eb31ad6cd4efe1b846c036c4.
Comment 14 Namita Soman 2013-08-28 18:55:25 UTC 
Using ipa-server-3.0.0-33.el6.x86_64, followed steps:

# cat /etc/named.conf
<snip>
...
key selfupdate {
        algorithm hmac-md5;
        secret "05Fu1ACKv1/1Ag==";
};

# ipa dnszone-mod testrelm.com --update-policy="grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; grant selfupdate zonesub A;"
  Zone name: testrelm.com
  Authoritative nameserver: mgmt6.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA serial: 1377713531
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self *
                      SSHFP; grant selfupdate zonesub A;
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;



# service named restart
Stopping named: .[  OK  ]
Starting named: [  OK  ]


# ipa dnszone-show testrelm.com --all
  dn: idnsname=testrelm.com,cn=dns,dc=testrelm,dc=com
  Zone name: testrelm.com
  Authoritative nameserver: mgmt6.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA serial: 1377715681
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self *
                      SSHFP; grant selfupdate zonesub A;
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
  nsrecord: mgmt6.testrelm.com.
  objectclass: top, idnsrecord, idnszone


named restarted successfuly
Comment 15 Namita Soman 2013-09-04 12:18:55 UTC 
Verified further. After the above steps, did further verification:
# cat dnsupdate.txt
server ipaqa64vme.testrelm.com
zone testrelm.com
key selfupdate 05Fu1ACKv1/1Ag==
update add foo.testrelm.com. 60 IN A <IPADDR>
send

# nsupdate -v -D dnsupdate.txt

Verified "Outgoing" and "Reply" results (similar to dig output). Since the update wad successful, got NOERROR.
Comment 16 errata-xmlrpc 2013-11-21 12:10:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1636.html