freeipa

Clone
Source Code
GIT

#1106 Add input validation for DNS record data
Closed: Fixed None Opened 13 years ago by rcritten.

Closed: Fixed
Reopen Issue

After creating a asfdb record with ipa dnsrecord-add, the record does not seem to be resolvable by dig.

  1. ipa dnsrecord-add newzone afsdb --afsdb-rec "interesting.zone.com."
  2. dig AFSDB afsdb.newzonezone

;; QUESTION SECTION:
;afsdb.newzone. IN AFSDB

https://bugzilla.redhat.com/show_bug.cgi?id=688765 [[BR]]
https://bugzilla.redhat.com/show_bug.cgi?id=750947

Invalid syntax of AFSDB record was used. RFC 1183 states that AFSDB has the following format:

   <owner> <ttl> <class> AFSDB <subtype> <hostname>

<subtype> field in AFSDB record was mised. When I added the <subtype> field, the record is correctly resolvable by dig:

$ ipa dnsrecord-add example.com afsdbrec --afsdb-rec="0 interesting.zone.com."
  Record name: afsdbrec
  AFSDB record: 0 interesting.zone.com.

# dig -t AFSDB afsdbrec.example.com

; <<>> DiG 9.7.3-RedHat-9.7.3-1.el6 <<>> -t AFSDB afsdbrec.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;afsdbrec.example.com.      IN  AFSDB

;; ANSWER SECTION:
afsdbrec.example.com.   86400   IN  AFSDB   0 interesting.zone.com.

;; AUTHORITY SECTION:
example.com.        86400   IN  NS  vm-111.idm.lab.bos.redhat.com.

;; ADDITIONAL SECTION:
vm-111.idm.lab.bos.redhat.com. 86400 IN A   10.16.78.111

;; Query time: 2 msec
;; SERVER: 10.16.78.111#53(10.16.78.111)
;; WHEN: Mon Mar 21 06:11:41 2011
;; MSG SIZE  rcvd: 130

Closing the ticket as invalid.

Still waiting for review, pushing to October sprint.

Moving the ticket to the next month iteration.

There was an interesting comment in https://bugzilla.redhat.com/show_bug.cgi?id=750947:

Adam Tkac 2011-11-04 05:09:58 EDT
(In reply to comment #4)
> That's a good question.
> 
> Adam, do you think that we could modify bind-dyndb-ldap to ignore the invalid
> DNS record instead of breaking the whole zone? Is it a good idea?

It should be possible to ignore invalid record with warning. However I'm not
sure this is the right thing.

When user tries to add a bad record, I think he expects immediate error
message, not run-time error message from named in /var/log/messages...

Currently I see two correct ways how to deal with this:

1. don't modify records directly in LDAP, use nsupdate utility instead of this.
This way you can catch bad records early (named validates each DDNS update sent
via nsupdate). Btw I think this is the right way if I think about serving of
DNSSEC-signed zones by IPA. If you modify records in LDAP, you must also
create/modify it's signatures. BIND can do this for us so why not to use it...

2. implement some kind of checking in the ipa utility. In my opinion this is
more painful way than the "1.", especially when thing about DNSSEC because you
will have to compute & create signatures.

master: efc3e2c

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.0 Core Effort - 2011/11
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=688765
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.