To limit the security issues of krb5-subdomain and ms-subdomain update policies on DNS zones, two new keywords are added to BIND9 to better control the dynamic updates.
There's a CVE regarding this issue: https://kb.isc.org/docs/cve-2018-5741
The patch already exists on BIND9 shipped with the latest IPA, but IPA interface does not recognise those keywords.
FreeIPA does not recognise those keywords: May 23 20:06:18 idm1 named-pkcs11[4237]: bug in get_match_type(): unsupported match type 'krb5-selfsub' May 23 20:06:18 idm1 named-pkcs11[4237]: zone 21.172.in-addr.arpa/IN: disabling all updates because of error in update policy configuration: not implemented May 23 20:06:18 idm1 named-pkcs11[4237]: update_zone (syncrepl) failed for master zone DN 'idnsname=21.172.in-addr.arpa.,cn=dns,dc=nix,dc=example,dc=com'. Zones can be outdated, run rndc reload: not implemented
rndc reload
They are already implemented since BIND 9.11.5
From the same CVE link this is stated:
These new update-policy options will debut in the next set of maintenance releases scheduled for the BIND 9.11 and 9.12 branches (as well as the BIND 9.13 development branch) and should be available to users in October 2018. BIND 9.11.5 BIND 9.12.3
Dynamic DNS are disabled due to unknown keywords
Properly enabled self sub keywords for better secure updates
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64 ipa-client-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64 389-ds-base-1.4.2.4-8.module+el8.2.0+5959+cfcaedbd.x86_64 pki-ca-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch krb5-server-1.17-18.el8.x86_64
NONE
FreeIPA does not perform any analysis of BIND ACI. It passes the string as it is and then it is parsed and validated by bind-dyndb-ldap before it is acted by bind.
Please open a ticket at https://pagure.io/bind-dyndb-ldap
Metadata Update from @abbra: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
List of currently supported variants by bind-dyndb-ldap:
MATCH("name", DNS_SSUMATCHTYPE_NAME); MATCH("subdomain", DNS_SSUMATCHTYPE_SUBDOMAIN); MATCH("zonesub", DNS_SSUMATCHTYPE_SUBDOMAIN); MATCH("wildcard", DNS_SSUMATCHTYPE_WILDCARD); MATCH("self", DNS_SSUMATCHTYPE_SELF); #if defined(DNS_SSUMATCHTYPE_SELFSUB) && defined(DNS_SSUMATCHTYPE_SELFWILD) MATCH("selfsub", DNS_SSUMATCHTYPE_SELFSUB); MATCH("selfwild", DNS_SSUMATCHTYPE_SELFWILD); #endif #ifdef DNS_SSUMATCHTYPE_SELFMS MATCH("ms-self", DNS_SSUMATCHTYPE_SELFMS); #endif #ifdef DNS_SSUMATCHTYPE_SELFKRB5 MATCH("krb5-self", DNS_SSUMATCHTYPE_SELFKRB5); #endif #ifdef DNS_SSUMATCHTYPE_SUBDOMAINMS MATCH("ms-subdomain", DNS_SSUMATCHTYPE_SUBDOMAINMS); #endif #ifdef DNS_SSUMATCHTYPE_SUBDOMAINKRB5 MATCH("krb5-subdomain", DNS_SSUMATCHTYPE_SUBDOMAINKRB5); #endif #if defined(DNS_SSUMATCHTYPE_TCPSELF) && defined(DNS_SSUMATCHTYPE_6TO4SELF) MATCH("tcp-self", DNS_SSUMATCHTYPE_TCPSELF); MATCH("6to4-self", DNS_SSUMATCHTYPE_6TO4SELF); #endif #if defined(DNS_SSUMATCHTYPE_EXTERNAL) MATCH("external", DNS_SSUMATCHTYPE_EXTERNAL); #endif
Hi @abbra Sorry for the mess, I didn't realised it was an bind-dyndb-ldap issue. Will report there as requested.
Login to comment on this ticket.