Problem

What does not work as expected?

When creating a CAA RR using nsupdate, it will be saved in LDAP under the key UnknownRecord;type257, but when querying, it nothing is returned.

Workaround

If I create the record manually, but with UnknownRecord;type257record as key, it can be queried as expected.

I found this out after looking into the source code in src/ldap_convert.c (maybe there is something wrong with the prefix/suffix logic in the ldap_attribute_to_rdatatype method).

Is your problem related to a single DNS zone or a DNS record?

I've only tried it with a single record in a single zone.

Steps to Reproduce

• obtain kerberos credentials

[root@ipa-1 ~]# kinit admin
Password for admin@EXAMPLE.ORG: 

• use nsupdate to create the record (BIND update policy has to exist for the zone: grant admin@EXAMPLE.ORG name example.org. CAA;):

[root@ipa-1 ~]# nsupdate -g
> update add example.org. 3600 CAA 0 issue "letsencrypt.org"
> send
> quit

• ensure that the record has been created in LDAP (output shortened):

[root@ipa-1 ~]# ldapsearch -b idnsname=example.org.,cn=dns,dc=example,dc=org -s base
...
# example.org., dns, example.org
dn: idnsname=example.org.,cn=dns,dc=example,dc=org
...
UnknownRecord;type257: \# 22 000569737375656C657473656E63727970742E6F7267
...

• query the created record using dig

[root@ipa-1 ~]# dig example.org. CAA @localhost +short
[root@ipa-1 ~]# 

Attach any error messages or other suspicious information you see in logs. E.g. in /var/named/data/named.run or /var/log/messages.

When creating the record, the following message appears in the log:

Oct 11 22:02:03 ipa-1.example.org named-pkcs11[579516]: client @0x7f0cc003fd30 <IPADDRESS> #58223/key admin\@EXAMPLE:ORG: updating zone 'example.org/IN': adding an RR at 'example.org' CAA 0 issue "letsencrypt.org"
Oct 11 22:02:03 ipa-1.example.org named-pkcs11[579516]: LDAP error: Insufficient access: Insufficient 'write' privilege to the 'caarecord' attribute of entry 'idnsname=example.org.,cn=dns,dc=example,dc=org'.
                                                         : while modifying(add) entry 'idnsname=example.org.,cn=dns,dc=example,dc=org'
Oct 11 22:02:03 ipa-1.example.org named-pkcs11[579516]: zone example.org/IN (signed): serial 1602446268 (unsigned 1602446268)
Oct 11 22:02:03 ipa-1.example.org named-pkcs11[579516]: zone example.org/IN (signed): serial 1602446523 (unsigned 1602446523)

Despite the error message, the record has been created in LDAP (as UnknownRecord;type257 instead of caarecord, though). But when querying, it seems to doesn't exist (also no error message does appear while querying).

Environment

• Plugin version: bind-dyndb-ldap-11.3-2.fc32.x86_64

• Version of BIND: bind-9.11.22-1.fc32.x86_64

• Distribution and version (i.e. including updates): Fedora release 32

• Architecture: x86_64

• Do you use bind-dyndb-ldap as part of FreeIPA installation? Yes: freeipa-server-dns-4.8.9-2.fc32.noarch

• Include dyndb (dynamic-db) section from configuration file /etc/named.conf:

dyndb "ipa" "/usr/lib64/bind/ldap.so" {
    uri "ldapi://%2fvar%2frun%2fslapd-EXAMPLE-ORG.socket";
    base "cn=dns,dc=example,dc=org";
    server_id "ipa-1.example.org";
    auth_method "sasl";
    sasl_mech "GSSAPI";
    sasl_user "DNS/ipa-1.example.org";
};

• Do you have some other text based or DLZ zones configured? No

• Do you have some global forwarders configured in BIND configuration file? No

• Do you have some settings in global configuration object in LDAP? No