#111 Update-policy with match type 'zonesub' crashes plugin
Closed: Fixed None Opened 11 years ago by pspacek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 921167

User wants to update DNS records from his DHCP server using TSIG keys, the key is added into named.conf file. Once the update-policy in LDAP is updated to use the key from named.conf named fails to start (crashes with an assertion failure).

Version-Release number of selected component (if applicable):
bind-dyndb-ldap-2.3-2.el6.x86_64

How reproducible:
Always.

Steps to Reproduce:
1.Add a key to named.conf.
for eg:

key selfupdate {
        algorithm hmac-md5;
        secret "05Fu1ACKv1/1Ag==";
};

2. Add the key to IPA managed zone's update-policy.
for eg:

# ipa dnszone-mod example.com --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; grant selfupdate zonesub A;"

(Only the last grant statement is relevant here, rest are present by default).

3. restart 'named' service.

Actual results: named crashes with assertion failure

named[19050]: managed-keys-zone ./IN: loaded serial 0
named[19050]: running
named[19050]: acl.c:234: INSIST(0) failed, back trace
named[19050]: #0 0x7f201cb3beff in ??
named[19050]: #1 0x7f201b4ec89a in ??
named[19050]: #2 0x7f201619d6d8 in ??
named[19050]: #3 0x7f20161a7423 in ??
named[19050]: #4 0x7f20161aa8a5 in ??
named[19050]: #5 0x7f201b50b2f8 in ??
named[19050]: #6 0x7f201aec0851 in ??
named[19050]: #7 0x7f201a42290d in ??
named[19050]: exiting (due to assertion failure)

Expected results: named start without any errors and we should be able to use the key from a client to update the zone entries.

Additional info: stack trace from the core file.

Thread 1 (Thread 0x7f7700519700 (LWP 9768)):
#0  0x00007f7701abb8a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f7701abd085 in abort () at abort.c:92
#2  0x00007f7704283e14 in assertion_failed (file=<value optimized out>, line=<value optimized out>, type=<value optimized out>, cond=<value optimized out>) at ./main.c:219
#3  0x00007f7702c3a89a in isc_assertion_failed (file=<value optimized out>, line=<value optimized out>, type=<value optimized out>, cond=<value optimized out>) at assertions.c:57
#4  0x00007f76fd8f8aa8 in get_match_type (policy_str=<value optimized out>, zone=0x7f76f832beb0) at acl.c:234
#5  acl_configure_zone_ssutable (policy_str=<value optimized out>, zone=0x7f76f832beb0) at acl.c:417
#6  0x00007f76fd901331 in ldap_parse_zoneentry (entry=0x7f77042066a0, inst=0x7f7704226f10) at ldap_helper.c:1022
#7  0x00007f76fd901bcd in refresh_zones_from_ldap (ldap_inst=0x7f7704226f10) at ldap_helper.c:1161
#8  0x00007f76fd906214 in manager_create_db_instance (mctx=0x7f7705eb6250, name=<value optimized out>, argv=<value optimized out>, dyndb_args=<value optimized out>)
    at zone_manager.c:183
#9  0x00007f76fd8fac19 in dynamic_driver_init (mctx=0x7f7705eb6250, name=0x7f77042161f0 "ipa", argv=0x7f77041ff330, dyndb_args=0x7f7704202550) at ldap_driver.c:1329
#10 0x00007f7703ae2de6 in dns_dynamic_db_load (libname=<value optimized out>, name=0x7f77042161f0 "ipa", mctx=0x7f7705eb6250, argv=0x7f77041ff330, dyndb_args=0x7f7704202550)
    at ./dynamic_db.c:232
#11 0x00007f77042a24dc in configure_dynamic_db (view=0x7f76f8111550, config=<value optimized out>, vconfig=<value optimized out>, cachelist=0x7f77042161f0, bindkeys=0x7f77042161f8, 
    mctx=0x7f7705eb6250, actx=0x7f7704202090, need_hints=isc_boolean_true) at server.c:1210
#12 configure_view (view=0x7f76f8111550, config=<value optimized out>, vconfig=<value optimized out>, cachelist=0x7f77042161f0, bindkeys=0x7f77042161f8, mctx=0x7f7705eb6250, 
    actx=0x7f7704202090, need_hints=isc_boolean_true) at server.c:2784
#13 0x00007f77042a57b5 in load_configuration (filename=0x7f7700518850 "\370\005#\004w\177", server=0x7f770420d010, first_time=isc_boolean_true) at server.c:4912
#14 0x00007f77042a6bb5 in run_server (task=<value optimized out>, event=0x0) at server.c:5381
#15 0x00007f7702c592f8 in dispatch (uap=0x7f7704204010) at task.c:1012
#16 run (uap=0x7f7704204010) at task.c:1157
#17 0x00007f770260e851 in start_thread (arg=0x7f7700519700) at pthread_create.c:301
#18 0x00007f7701b7111d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Match type 'zonesub' is not handled properly.

Workaround:
Replace 'zonesub' with 'subdomain' match type. E.g. for zone 'example.com' use following update policy:
grant keyname subdomain example.com;

Result:
Update requests signed by key 'keyname' are allowed to change all records in zone 'example.com'.

Moved as instructed in ipa-out-of-band-triage-3-19-13.

Metadata Update from @pspacek:
- Issue assigned to pspacek
- Issue set to the milestone: Fedora 19

7 years ago

Login to comment on this ticket.

Metadata