bind-dyndb-ldap

#191 Support for krb5-selfsub and ms-selfsub on update-policy in DNS zones
Closed: fixed by abbra. Opened by viniciusferrao.

Closed: fixed
Reopen Issue

Problem

To limit the security issues of krb5-subdomain and ms-subdomain update policies on DNS zones, two new keywords are added to BIND9 to better control the dynamic updates.

There's a CVE regarding this issue: https://kb.isc.org/docs/cve-2018-5741

The patch already exists on BIND9 shipped with the latest IPA, but IPA interface does not recognise those keywords.

What does not work as expected?

bind-dyndb-ldap does not recognise those keywords:
May 23 20:06:18 idm1 named-pkcs11[4237]: bug in get_match_type(): unsupported match type 'krb5-selfsub'
May 23 20:06:18 idm1 named-pkcs11[4237]: zone 21.172.in-addr.arpa/IN: disabling all updates because of error in update policy configuration: not implemented
May 23 20:06:18 idm1 named-pkcs11[4237]: update_zone (syncrepl) failed for master zone DN 'idnsname=21.172.in-addr.arpa.,cn=dns,dc=nix,dc=example,dc=com'. Zones can be outdated, run rndc reload: not implemented

They are already implemented since BIND 9.11.5

From the same CVE link this is stated:

These new update-policy options will debut in the next set of maintenance releases scheduled for the BIND 9.11 and 9.12 branches (as well as the BIND 9.13 development branch) and should be available to users in October 2018.

BIND 9.11.5
BIND 9.12.3

Is your problem related to a single DNS zone or a DNS record?

All DNS zones

Steps to Reproduce

  • Enable dynamic DNS updates on a given zone with krb5-selfsub inside update-policy
  • Watch system logs with errors

Environment

  • Plugin version:
    bind-dyndb-ldap-11.2-3.module+el8.2.0+4921+923e30d5.x86_64

  • Version of BIND:
    bind-pkcs11-9.11.13-3.el8.x86_64

  • Distribution and version (i.e. including updates):
    RHEL 8.2

  • Architecture:
    x86_64

  • Do you use bind-dyndb-ldap as part of FreeIPA installation? If you answered no: Which LDAP server you use? Which version?
    Yes; and this bug was incorrectly reported to FreeIPA: https://pagure.io/freeipa/issue/8332

  • Include dyndb (dynamic-db) section from configuration file /etc/named.conf:
    Default from FreeIPA

  • Do you have some other text based or DLZ zones configured?
    No

  • Do you have some global forwarders configured in BIND configuration file? (Statements forward and forwarders.)
    No

  • Do you have some settings in global configuration object in LDAP? Please export configuration object to LDIF and attach it to the bug report.
    No

Pull request https://pagure.io/bind-dyndb-ldap/pull-request/192 should fix this issue.

@viniciusferrao if you have RHEL subscription, please open a customer case and let support know to open a bug against RHEL 8 so that we can pull this change in into RHEL.

Merged PR 192 to master. I'll do Fedora updates soon.

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
Related Pull Requests
Powered by Pagure 1.0.0
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.