958141 – old update/transfer/query policy stays in effect if new policy contain an error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 958141 - old update/transfer/query policy stays in effect if new policy contain an error

Summary: old update/transfer/query policy stays in effect if new policy contain an error

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	bind-dyndb-ldap
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Spacek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-30 13:24 UTC by Dmitri Pal
Modified:	2015-01-21 15:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:	bind-dyndb-ldap-3.5-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:37:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dmitri Pal 2013-04-30 13:24:27 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/116

Example:
* A zone `test.` contains query policy `any;`, so anybody can query the zone.
* Admin changed the query policy to `192.0.2..0/24;`, i.e. the new policy contains a typo.
* The typo (parsing error) causes that the old policy is in effect, i.e. anybody can query the zone.

Proposed fix:
* Disable all updates/transfers/queries if the new policy contain an error. This should prevent nasty surprises for admins.

Comment 1 Namita Soman 2013-04-30 18:39:15 UTC

Please provide steps to verify

Comment 3 Petr Spacek 2013-05-02 08:41:00 UTC

Please read the description in the upstream ticket.

Comment 4 Petr Spacek 2013-05-21 11:45:10 UTC

Fixed upstream by commits 0a5051392e218702a37073823101cbb6553b9445 and b21eb8a84e2c02e7dd090d24d68f1e385b0604c3.

Comment 5 Xiyang Dong 2014-01-15 15:58:50 UTC

I'm trying to change query policy to an invalid one but I got 

[root@70master ipa-ctl]# ipa dnszone-mod example.com --allow-query="192.0.2..0/24"
ipa: ERROR: invalid 'allow_query': invalid literal for int() with base 10: ''

[root@70master ipa-ctl]# ipa dnszone-mod example.com --allow-query="192.0.999.0/24"
ipa: ERROR: invalid 'allow_query': invalid IPNetwork 192.0.999.0/24

Could you provide an invalid query that I can change to,or if not,what's the best way to verify this bug ?

Comment 6 Petr Spacek 2014-01-16 08:40:15 UTC

Validators were added to FreeIPA CLI  so users can't enter invalid values.

I would recommend you to use ldapmodify/ldapadd to modify idnsUpdatePolicy/idnsAllowTransfer/idnsAllowQuery attribures in LDAP directly.

Comment 7 Xiyang Dong 2014-01-21 18:24:46 UTC

Hi petr ,
I change idnsAllowQuery to an invalid value but idnsUpdatePolicy/idnsAllowTransfer/idnsAllowQuery attribures were not showing disabled. How to trigger the disable ?

[root@70master ~]# kinit admin
Password for admin: 
[root@70master ~]# testZone=example.com
[root@70master ~]# ipa dnszone-add $testZone --admin-email=hostmaster.$testZone --name-server=ns --ip-address=127.0.0.1
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390327977
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA;
                      grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@70master ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123|grep "dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com" -A 15
dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
idnsAllowQuery: any;
nSRecord: ns
idnsSOAserial: 1390327980
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-se
 lf * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: example.com

[root@70master ~]# cat >modifyAllowQuery.ldif << EOF
> dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com
> changetype: modify
> replace: idnsAllowQuery
> idnsAllowQuery: 192.0.2..0/24
> EOF

[root@70master ~]# ldapmodify -x -D "cn=Directory Manager" -w Secret123  -f modifyAllowQuery.ldif 
modifying entry "idnsname=example.com,cn=dns,dc=testrelm,dc=com"

[root@70master ~]# ldapsearch -x -D "cn=Directory Manager" -w Secret123|grep "dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com" -A 15
dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
idnsAllowQuery: 192.0.2..0/24
nSRecord: ns
idnsSOAserial: 1390327980
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-se
 lf * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: example.com

Comment 8 Petr Spacek 2014-01-21 18:42:26 UTC

Hi Xiyang. Comment #0 tells:
> Proposed fix:
> * Disable all updates/transfers/queries if the new policy contain an error. This should prevent nasty surprises for admins.

This is not related to values in LDAP - whatever user puts to LDAP stays here.

The difference is in the way how bind-dyndb-ldap interprets invalid values. Try to query the zone with invalid query policy - the query should be refused. The same applies to updates and zone transfers.

Always configure a valid policy, do the action to verify that it works (e.g. do a zone transfer), then change the policy to something invalid and try the action again.

Comment 9 Petr Spacek 2014-01-23 14:14:01 UTC

Replying to question from IRC:
Syntax for allow-transfer configuration is:
http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer

For zone transfer you can use dig:
dig @server_IP -t AXFR zone.example.com.

Comment 10 Xiyang Dong 2014-01-24 20:30:48 UTC

Verified on:
ipa-server-3.3.3-6.el7.x86_64
bind-dyndb-ldap-3.5-2.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz958141 - old update/transfer/query policy stays in effect if new policy contain an error
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:29:49 ] ::  execute expect file: /tmp/kinit.25832.exp

set timeout 30
set force_conservative 0 
set send_slow {1 .001} 
spawn /usr/bin/kinit -V admin
expect Password for *
send -s -- Secret123\r
expect eof 
spawn /usr/bin/kinit -V admin
SUsing existing cache: persistent:0:0
Using principal: admin
ecretPassword for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 15:29:50 ] ::  Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390595391
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: Add test zone (Expected 0, got 0)
:: [   PASS   ] :: get the original BIND update policy (Expected 0, got 0)
  Record name: test
  A record: 1.2.3.4
:: [   PASS   ] :: Add A rec for test.example.com (Expected 0, got 0)
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390595394
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: Enable dynamic updates for forward zone (Expected 0, got 0)
-----------------------------
Added host "test.example.com"
-----------------------------
  Host name: test.example.com
  Principal name: host/test.example.com
  Password: False
  Keytab: False
  Managed by: test.example.com
:: [   PASS   ] :: Add host test.example.com (Expected 0, got 0)
Keytab successfully retrieved and stored in: /tmp/tmp.Zjy6tPPzQG/bz958141.keytab
:: [   PASS   ] :: get keytab for test.example.com (Expected 0, got 0)
:: [   PASS   ] :: kinit use principal for test.example.com (Expected 0, got 0)
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  25078
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.example.com.		IN	SOA

;; AUTHORITY SECTION:
example.com.		3600	IN	SOA	70master.testrelm.com. hostmaster.example.com. 1390595394 3600 900 1209600 3600

Found zone name: example.com
The master is: 70master.testrelm.com
start_gssrequest
Found realm from ticket: TESTRELM.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  24648
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3714725673.sig-70master.testrelm.com. ANY TKEY

;; ADDITIONAL SECTION:
3714725673.sig-70master.testrelm.com. 0	ANY TKEY gss-tsig. 1390595396 1390595396 3 NOERROR 623 YIICawYJKoZIhvcSAQICAQBuggJaMIICVqADAgEFoQMCAQ6iBwMFACAA AACjggFcYYIBWDCCAVSgAwIBBaEOGwxURVNUUkVMTS5DT02iJzAloAMC AQGhHjAcGwNETlMbFTcwbWFzdGVyLnRlc3RyZWxtLmNvbaOCARIwggEO oAMCARKhAwIBAqKCAQAEgf1qYUF/xRjTKtf5BPqZ4gQPw/u3hvX+LjOZ TcO+hcfZC3xFGU9wgsGdDNhuIUreYQubSHGm7QxM+7aJ7fYXoVCOxw7F RNHSFai58UV3rjQ/pqY3DQqlgRf5d2LptvozoqSHNX1NlA13692cQp42 tmQeECtpiS/syzWqUNDgh9n8JykLpEQkHNTAoqJ8g3M8RLs7Th3Sgyft wnnmkhek/VEDAwmAjBX3bJ0KkJjo4Vav0STCio8OlfaDXR8GF8sXvw/V nqR0Q1Qn0YKB4/WgeVHfLL+/flma40rV55lz31OH/R5tDyrAhCfpob76 QuxMZRAGMUJS/NPBeROqNoaopIHgMIHdoAMCARKigdUEgdK2vsS8Bdu4 FCCj6WBcyoLC8ewcxy+7AhYCF269iLKOuXCE7A4kt50/aBf6kPBgfxEq SxhqoGjb6NuGjrWG4j/K12jr2dom0K6d46dbdi1PcHtuwS2VDPr3i41i jv2+tM1rhToKc5Ksp+xqM0Zv4KorvXOBVnpXby4TVXX/TUteU8KVhWyb fdzOLv05KRFRrPBcavR3CQ/PEiWRdsQD5P2GqIPYQx0G8IukENqmpdrG zuO7VvXee9b9MVu+VpGXVFUvI9s7jwoQTA/s77ffDhG3oAU= 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  24648
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;3714725673.sig-70master.testrelm.com. ANY TKEY

;; ANSWER SECTION:
3714725673.sig-70master.testrelm.com. 0	ANY TKEY gss-tsig. 1390595396 1390598996 3 NOERROR 156 YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKi cQRvYMkBCbrYwt8Cb5KiqO3aCWfR374LMggdCD8wDk72C54ctHUeh+PT Pkpbe+Pt0/eUbonTG5uzzHbiaIpA1lcVLfE3RGdDxUMt7W+1eWtJkTYu Zg/FJKHpKUnmAsgkRWPNSWIBg6UFLTrTDWeyBzZQ 0

Sending update to 10.18.57.215#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  59932
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
test.example.com.	0	NONE	A	1.2.3.4

;; TSIG PSEUDOSECTION:
3714725673.sig-70master.testrelm.com. 0	ANY TSIG gss-tsig. 1390595396 300 28 BAQE//////8AAAAALYqyNtqkIUxMrL6YXXm8aQ== 59932 NOERROR 0 


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  59932
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.			IN	SOA

;; TSIG PSEUDOSECTION:
3714725673.sig-70master.testrelm.com. 0	ANY TSIG gss-tsig. 1390595397 300 28 BAQF//////8AAAAAFWKybz0Xk0jfZ5DDc0u3bg== 59932 NOERROR 0 

:: [   PASS   ] :: EXECUTING: nsupdate -g /tmp/tmp.Zjy6tPPzQG/nsupdate.txt,verify a valid dynamic update with valid BIND update policy (Expected 0, got 0)
:: [ 15:29:57 ] ::  execute expect file: /tmp/kinit.11211.exp

set timeout 30
set force_conservative 0 
set send_slow {1 .001} 
spawn /usr/bin/kinit -V admin
expect Password for *
send -s -- Secret123\r
expect eof 
spawn /usr/bin/kinit -V admin
Using existing cache: persistent:0:0
Using principal: admin
SecrPassword for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 15:29:57 ] ::  Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390595396
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: invalid value
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: change update policy to some invalid value (Expected 0, got 0)
  Record name: test
  A record: 1.2.3.4
:: [   PASS   ] :: Add A rec for test.example.com (Expected 0, got 0)
:: [   PASS   ] :: kinit use principal for test.example.com (Expected 0, got 0)
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  10324
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.example.com.		IN	SOA

;; AUTHORITY SECTION:
example.com.		3600	IN	SOA	70master.testrelm.com. hostmaster.example.com. 1390595399 3600 900 1209600 3600

Found zone name: example.com
The master is: 70master.testrelm.com
start_gssrequest
Found realm from ticket: TESTRELM.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  35116
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;4176817492.sig-70master.testrelm.com. ANY TKEY

;; ADDITIONAL SECTION:
4176817492.sig-70master.testrelm.com. 0	ANY TKEY gss-tsig. 1390595400 1390595400 3 NOERROR 642 YIICfgYJKoZIhvcSAQICAQBuggJtMIICaaADAgEFoQMCAQ6iBwMFACAA AACjggFwYYIBbDCCAWigAwIBBaEOGwxURVNUUkVMTS5DT02iJzAloAMC AQGhHjAcGwNETlMbFTcwbWFzdGVyLnRlc3RyZWxtLmNvbaOCASYwggEi oAMCARKhAwIBAqKCARQEggEQy2AiQUgmHCcRIS2pczY0iI7+QL9GF96N B4u09c3RmXNE7QHfvHz5G1/3gD4/WJf3yhMalrejdvsVtLjgyykZ6fjB NVNvLL7ZkDdNi+K4hwc4+aThcFW+F8BKdvxBGrjEFyNTxXJsb75WmQpA cLYLmyJ4wdfKyw1o0DI5z+hOwNn4H2XTjRLwmUdihQ/c5mOvLMAwGtZx LM6Qdmi7klFF1dGgsdoTsoPmhkuEy/BBSqut2X/kN6VbXSIKj0XLCnZx jQ5u+gj0E2CezAaryeg8P1fbcd4otSp94Y+Vb9PiDvIhmgB7cOuErwI0 kag5tYypCE0t6hIcQ5NADt3BUFCeYFaDc/ipS6XvEnKQy1w6F5mkgd8w gdygAwIBEqKB1ASB0UfvkP0UzYXnf3ksnlxz3DVrPHf+K5PSLGojd1hs 3prgNSgSifsa/KZv8GSXc2TQW3auCiZhoWvm76E/PUh47v3f3xFMMnjy xfTS+87ich8BfqewOJNAAGqNQtX6hCmruM4MWH8GgyZxYtBZAtKdqsYH f8DioG0spWQ4a84w26PSKi5wTSw4sienVP1WK7qoazr2MIfaUCNEA4V9 feZO/Ou7jeYmQlxkTisruodvikKNPd3zwLRLCxmeWycXhACw9kC+uZXb 7qTSyF5gNDGDWYom 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  35116
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;4176817492.sig-70master.testrelm.com. ANY TKEY

;; ANSWER SECTION:
4176817492.sig-70master.testrelm.com. 0	ANY TKEY gss-tsig. 1390595400 1390599000 3 NOERROR 156 YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKi cQRvb8zSydpmH5FTsxyt+bv6vKX6pdzQiIaAfv/meMo4Y2tqKCKPuswl rASOg5U3AyJ3A+zCYng3tOUwAZzrS6I03gp392pGkG/EaYTykuHDpQHB aetA7r4826QI1wXJjWlLPz6fbKPT9Bp78LNQ9PoE 0

Sending update to 10.18.57.215#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  59512
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
test.example.com.	0	NONE	A	1.2.3.4

;; TSIG PSEUDOSECTION:
4176817492.sig-70master.testrelm.com. 0	ANY TSIG gss-tsig. 1390595400 300 28 BAQE//////8AAAAAABMCXtWtJqK1xRfnjnGbGQ== 59512 NOERROR 0 


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  59512
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.			IN	SOA

;; TSIG PSEUDOSECTION:
4176817492.sig-70master.testrelm.com. 0	ANY TSIG gss-tsig. 1390595400 300 28 BAQF//////8AAAAAILgTm/C4CtoXQV+a+EnVfQ== 59512 NOERROR 0 

:: [   PASS   ] :: EXECUTING: nsupdate -g /tmp/tmp.Zjy6tPPzQG/nsupdate.txt,verify a dynamic update is disabled with invalid BIND update policy (Expected 2, got 2)
:: [ 15:30:00 ] ::  execute expect file: /tmp/kinit.24755.exp

set timeout 30
set force_conservative 0 
set send_slow {1 .001} 
spawn /usr/bin/kinit -V admin
expect Password for *
send -s -- Secret123\r
expect eof 
spawn /usr/bin/kinit -V admin
Using existing cache: persistent:0:0
Using principal: admin
SecrPassword for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 15:30:00 ] ::  Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390595399
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: change back to original BIND update policy (Expected 0, got 0)
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390595399
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: any;
:: [   PASS   ] :: default allow transfer is none, change to any (Expected 0, got 0)

; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> @127.0.0.1 -t AXFR example.com
; (1 server found)
;; global options: +cmd
example.com.		86400	IN	SOA	70master.testrelm.com. hostmaster.example.com. 1390595399 3600 900 1209600 3600
example.com.		86400	IN	NS	ns.example.com.
ns.example.com.		86400	IN	A	127.0.0.1
_kerberos.example.com.	86400	IN	TXT	"TESTRELM.COM"
test.example.com.	86400	IN	A	1.2.3.4
example.com.		86400	IN	SOA	70master.testrelm.com. hostmaster.example.com. 1390595399 3600 900 1209600 3600
;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 24 15:30:03 EST 2014
;; XFR size: 6 records (messages 1, bytes 219)

:: [   PASS   ] :: verify that zone transfer works with valid allow transfer policy (Expected 0, got 0)
:: [ 15:30:04 ] ::  dn for zone example.com is   dn: idnsname=example.com,cn=dns,dc=testrelm,dc=com
modifying entry "idnsname=example.com,cn=dns,dc=testrelm,dc=com"

:: [   PASS   ] :: Change idnsAllowTransfer to an invalid value (Expected 0, got 0)
; Transfer failed.
:: [   PASS   ] :: Verify that zone transfer fails with invalid allow transfer policy (Expected 0, got 0)
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390595399
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: change back to original zone transfer policy :none (Expected 0, got 0)
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36812
:: [   PASS   ] :: verify that query works (Expected 0, got 0)
modifying entry "idnsname=example.com,cn=dns,dc=testrelm,dc=com"

:: [   PASS   ] :: Change idnsAllowQuery to an invalid value (Expected 0, got 0)
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 59668
:: [   PASS   ] :: verify that query is disabled (Expected 0, got 0)
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390595399
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
:: [   PASS   ] :: change back to original zone transfer policy :any (Expected 0, got 0)
-------------------------------
Deleted host "test.example.com"
-------------------------------
:: [   PASS   ] :: delete host test.example.com (Expected 0, got 0)
------------------------------
Deleted DNS zone "example.com"
------------------------------
:: [   PASS   ] :: delete test zone example.com (Expected 0, got 0)

Comment 11 Ludek Smid 2014-06-13 12:37:52 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.