Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 921167
User wants to update DNS records from his DHCP server using TSIG keys, the key is added into named.conf file. Once the update-policy in LDAP is updated to use the key from named.conf named fails to start (crashes with an assertion failure). Version-Release number of selected component (if applicable): bind-dyndb-ldap-2.3-2.el6.x86_64 How reproducible: Always. Steps to Reproduce: 1.Add a key to named.conf. for eg: key selfupdate { algorithm hmac-md5; secret "05Fu1ACKv1/1Ag=="; }; 2. Add the key to IPA managed zone's update-policy. for eg: # ipa dnszone-mod example.com --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; grant selfupdate zonesub A;" (Only the last grant statement is relevant here, rest are present by default). 3. restart 'named' service. Actual results: named crashes with assertion failure named[19050]: managed-keys-zone ./IN: loaded serial 0 named[19050]: running named[19050]: acl.c:234: INSIST(0) failed, back trace named[19050]: #0 0x7f201cb3beff in ?? named[19050]: #1 0x7f201b4ec89a in ?? named[19050]: #2 0x7f201619d6d8 in ?? named[19050]: #3 0x7f20161a7423 in ?? named[19050]: #4 0x7f20161aa8a5 in ?? named[19050]: #5 0x7f201b50b2f8 in ?? named[19050]: #6 0x7f201aec0851 in ?? named[19050]: #7 0x7f201a42290d in ?? named[19050]: exiting (due to assertion failure) Expected results: named start without any errors and we should be able to use the key from a client to update the zone entries. Additional info: stack trace from the core file. Thread 1 (Thread 0x7f7700519700 (LWP 9768)): #0 0x00007f7701abb8a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007f7701abd085 in abort () at abort.c:92 #2 0x00007f7704283e14 in assertion_failed (file=<value optimized out>, line=<value optimized out>, type=<value optimized out>, cond=<value optimized out>) at ./main.c:219 #3 0x00007f7702c3a89a in isc_assertion_failed (file=<value optimized out>, line=<value optimized out>, type=<value optimized out>, cond=<value optimized out>) at assertions.c:57 #4 0x00007f76fd8f8aa8 in get_match_type (policy_str=<value optimized out>, zone=0x7f76f832beb0) at acl.c:234 #5 acl_configure_zone_ssutable (policy_str=<value optimized out>, zone=0x7f76f832beb0) at acl.c:417 #6 0x00007f76fd901331 in ldap_parse_zoneentry (entry=0x7f77042066a0, inst=0x7f7704226f10) at ldap_helper.c:1022 #7 0x00007f76fd901bcd in refresh_zones_from_ldap (ldap_inst=0x7f7704226f10) at ldap_helper.c:1161 #8 0x00007f76fd906214 in manager_create_db_instance (mctx=0x7f7705eb6250, name=<value optimized out>, argv=<value optimized out>, dyndb_args=<value optimized out>) at zone_manager.c:183 #9 0x00007f76fd8fac19 in dynamic_driver_init (mctx=0x7f7705eb6250, name=0x7f77042161f0 "ipa", argv=0x7f77041ff330, dyndb_args=0x7f7704202550) at ldap_driver.c:1329 #10 0x00007f7703ae2de6 in dns_dynamic_db_load (libname=<value optimized out>, name=0x7f77042161f0 "ipa", mctx=0x7f7705eb6250, argv=0x7f77041ff330, dyndb_args=0x7f7704202550) at ./dynamic_db.c:232 #11 0x00007f77042a24dc in configure_dynamic_db (view=0x7f76f8111550, config=<value optimized out>, vconfig=<value optimized out>, cachelist=0x7f77042161f0, bindkeys=0x7f77042161f8, mctx=0x7f7705eb6250, actx=0x7f7704202090, need_hints=isc_boolean_true) at server.c:1210 #12 configure_view (view=0x7f76f8111550, config=<value optimized out>, vconfig=<value optimized out>, cachelist=0x7f77042161f0, bindkeys=0x7f77042161f8, mctx=0x7f7705eb6250, actx=0x7f7704202090, need_hints=isc_boolean_true) at server.c:2784 #13 0x00007f77042a57b5 in load_configuration (filename=0x7f7700518850 "\370\005#\004w\177", server=0x7f770420d010, first_time=isc_boolean_true) at server.c:4912 #14 0x00007f77042a6bb5 in run_server (task=<value optimized out>, event=0x0) at server.c:5381 #15 0x00007f7702c592f8 in dispatch (uap=0x7f7704204010) at task.c:1012 #16 run (uap=0x7f7704204010) at task.c:1157 #17 0x00007f770260e851 in start_thread (arg=0x7f7700519700) at pthread_create.c:301 #18 0x00007f7701b7111d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
Match type 'zonesub' is not handled properly.
Workaround: Replace 'zonesub' with 'subdomain' match type. E.g. for zone 'example.com' use following update policy: grant keyname subdomain example.com;
Result: Update requests signed by key 'keyname' are allowed to change all records in zone 'example.com'.
Moved as instructed in ipa-out-of-band-triage-3-19-13.
Pushed to
Metadata Update from @pspacek: - Issue assigned to pspacek - Issue set to the milestone: Fedora 19
Login to comment on this ticket.