Skip Menu |
Report information
The Basics
Id: 39893
Status: resolved
Priority: 50/50
Queue: bind9-public
People
Owner: Evan Hunt <Evan_Hunt@isc.org>
Requestors: Tomas Hozza <thozza@redhat.com>
Cc:
AdminCc:
Bug Information
Version Fixed: 9.9.11, 9.9.11-S1, 9.10.6, 9.10.6-S1, 9.11.2, 9.12.0
Version Found: (no value)
Versions Affected: (no value)
Versions Planned: (no value)
Priority: P2 Normal
Severity: S2 Normal
CVSS Score: (no value)
CVE ID: (no value)
Component: BIND Utilities
Area: bug
Attachments
0001-nsupdate-Send-TSIG-Query-to-master-server.patch
explicit_server_update.pcap
no_explicit_server_update.pcap
no_explicit_server_update_with_fix.pcap
Dates
Created:Fri, 26 Jun 2015 10:51:54 -0400
Updated:Fri, 28 Jul 2017 23:43:57 -0400
Closed:Thu, 20 Apr 2017 12:31:23 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History Show full headers
# Fri, 26 Jun 2015 10:51:54 -0400 Tomas Hozza <thozza@redhat.com> - Ticket created [Reply] [Comment]
Subject: nsupdate: Queries for TKEY are sent to wrong server when using GSSAPI
Date: Fri, 26 Jun 2015 16:51:42 +0200
To: bind9-bugs@isc.org
From: "Tomas Hozza" <thozza@redhat.com>
Download (untitled) / with headers
text/plain 1.2KiB
Hi. While testing fix for [ISC-Bugs #39840] I found another issue in nsupdate. If using GSSAPI, then queries for TKEY are always sent to the servers specified in the /etc/resolv.conf instead to the master server for the zone. If the server is specified explicitly as 'server' option, Queries are sent to the correct server. The problem is that the code in GSSAPI specific paths was not modified to cope with changes done in upstream ticket RT#37925, especially the use of master_servers instead of servers. I'm attaching packet dumps for illustration what happened: - without fix and without explicit 'server' option - without fix and with explicit 'server' option - with fix without explicit 'server' option I'm also attaching the patch I used and tested. Although I'm not sure if the code in recvgss() should be modified (as done by my patch), it seemed reasonable. Since As I understood the code that if TKEY query to the first master_server failed, it should be sent to the second one, if there is any. Nevertheless the changes in start_gssrequest() are the key to fixing the issue. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com
Download 0001-nsupdate-Send-TSIG-Query-to-master-server.patch
text/x-patch 1.8KiB

Message body is not shown because sender requested not to inline it.

Download explicit_server_update.pcap
application/vnd.tcpdump.pcap 3.3KiB

Message body not shown because it is not plain text.

Download no_explicit_server_update.pcap
application/vnd.tcpdump.pcap 3KiB

Message body not shown because it is not plain text.

Download no_explicit_server_update_with_fix.pcap
application/vnd.tcpdump.pcap 4.3KiB

Message body not shown because it is not plain text.

# Tue, 05 Jan 2016 17:53:01 -0500 Carly King <carly@isc.org> - Area bug added
# Tue, 05 Jan 2016 17:53:01 -0500 Carly King <carly@isc.org> - Component BIND Server added
# Fri, 04 Nov 2016 09:47:01 -0400 Tomas Hozza <thozza@redhat.com> - Correspondence added [Reply] [Comment]
Subject: Re: [ISC-Bugs #39893] AutoReply: nsupdate: Queries for TKEY are sent to wrong server when using GSSAPI
Date: Fri, 4 Nov 2016 14:46:53 +0100
To: bind9-bugs@isc.org
From: "Tomas Hozza" <thozza@redhat.com>
Download (untitled) / with headers
text/plain 3.8KiB
On 26.06.2015 16:51, BIND9 Bugs via RT wrote: > Greetings, > > This message was automatically generated to acknowledge receipt of > your recent email > "nsupdate: Queries for TKEY are sent to wrong server when using GSSAPI", > and to let you know that we have opened a ticket for your request > (a summary of which appears below.) > > We do not need a further response from you, but if you do respond, > please include in the Subject of your reply the ID > '[ISC-Bugs #39893]' > so that we can match up your reply with our trouble ticket. > > What Happens Next > ================= > > Bug reports submitted to us in this manner are handled based on > perceived severity in relation to other bugs. We handle reports as > time permits so there is no guaranteed response time for these > reports. > > If you feel the issue you are reporting is a security issue, please > see http://www.isc.org/security/reporting-issues for details on how > to report it, including the PGP key you may use. > > If it is of a non-security yet still urgent matter, you may reply > to this message to add further information. > > > Other Support Options > ===================== > > If your organization requires more immediate attention, ISC offers > paid support options. Please see http://www.isc.org/services/support > for more information. > > If paid support is not an option, please consider making a donation > to ISC. We don't require a donation -- we will work on your report > just as quickly whether or not you can donate -- but we always need > and welcome community support. See http://www.isc.org/supportisc > > > Run a Supported Version > ======================= > > If you are not running a supported version of BIND, please upgrade. > Bug reports against unsupported versions of BIND are discouraged, > as your issue may have already been addressed. > > You can find the latest version of BIND here: > > https://www.isc.org/software/bind > > > For configuration help... > ========================= > > Questions regarding configuration or setup of BIND are addressed on > the bind-users list - to subscribe, visit: > > https://lists.isc.org/mailman/listinfo/bind-users > > > Thank you, > bind9-bugs@isc.org > > --------------------------------------------------------------------- > > Hi. > > While testing fix for [ISC-Bugs #39840] I found another issue in nsupdate. > > If using GSSAPI, then queries for TKEY are always sent to the servers > specified in the /etc/resolv.conf instead to the master server for the > zone. If the server is specified explicitly as 'server' option, Queries > are sent to the correct server. > > The problem is that the code in GSSAPI specific paths was not modified > to cope with changes done in upstream ticket RT#37925, especially the > use of master_servers instead of servers. > > I'm attaching packet dumps for illustration what happened: > - without fix and without explicit 'server' option > - without fix and with explicit 'server' option > - with fix without explicit 'server' option > > I'm also attaching the patch I used and tested. Although I'm not sure if > the code in recvgss() should be modified (as done by my patch), it > seemed reasonable. Since As I understood the code that if TKEY query to > the first master_server failed, it should be sent to the second one, if > there is any. Nevertheless the changes in start_gssrequest() are the key > to fixing the issue. > > Regards, > Hello. Any updates on this issue? The bug is causing issues to FreeIPA project in Fedora, which uses nsupdate. I would like to kindly ask you to review the patch I sent with the original report. If there are any changes needed for the fix to be merged, please let me know. Thank you. Regards, -- Tomas Hozza Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL PGP: 1D9F3C2D UTC+1 (CET) Red Hat Inc. http://cz.redhat.com
# Wed, 01 Mar 2017 07:25:36 -0500 Tomas Hozza <thozza@redhat.com> - Correspondence added [Reply] [Comment]
CC: mbasti@redhat.com, "Petr Mensik" <pemensik@redhat.com>
Subject: Re: [ISC-Bugs #39893] AutoReply: nsupdate: Queries for TKEY are sent to wrong server when using GSSAPI
Date: Wed, 1 Mar 2017 13:25:27 +0100
To: bind9-bugs@isc.org
From: "Tomas Hozza" <thozza@redhat.com>
Download (untitled) / with headers
text/plain 4.2KiB
On 04.11.2016 14:47, Tomas Hozza via RT wrote: > On 26.06.2015 16:51, BIND9 Bugs via RT wrote: > > Greetings, > > > > This message was automatically generated to acknowledge receipt of > > your recent email > > "nsupdate: Queries for TKEY are sent to wrong server when using GSSAPI", > > and to let you know that we have opened a ticket for your request > > (a summary of which appears below.) > > > > We do not need a further response from you, but if you do respond, > > please include in the Subject of your reply the ID > > '[ISC-Bugs #39893]' > > so that we can match up your reply with our trouble ticket. > > > > What Happens Next > > ================= > > > > Bug reports submitted to us in this manner are handled based on > > perceived severity in relation to other bugs. We handle reports as > > time permits so there is no guaranteed response time for these > > reports. > > > > If you feel the issue you are reporting is a security issue, please > > see http://www.isc.org/security/reporting-issues for details on how > > to report it, including the PGP key you may use. > > > > If it is of a non-security yet still urgent matter, you may reply > > to this message to add further information. > > > > > > Other Support Options > > ===================== > > > > If your organization requires more immediate attention, ISC offers > > paid support options. Please see http://www.isc.org/services/support > > for more information. > > > > If paid support is not an option, please consider making a donation > > to ISC. We don't require a donation -- we will work on your report > > just as quickly whether or not you can donate -- but we always need > > and welcome community support. See http://www.isc.org/supportisc > > > > > > Run a Supported Version > > ======================= > > > > If you are not running a supported version of BIND, please upgrade. > > Bug reports against unsupported versions of BIND are discouraged, > > as your issue may have already been addressed. > > > > You can find the latest version of BIND here: > > > > https://www.isc.org/software/bind > > > > > > For configuration help... > > ========================= > > > > Questions regarding configuration or setup of BIND are addressed on > > the bind-users list - to subscribe, visit: > > > > https://lists.isc.org/mailman/listinfo/bind-users > > > > > > Thank you, > > bind9-bugs@isc.org > > > > --------------------------------------------------------------------- > > > > Hi. > > > > While testing fix for [ISC-Bugs #39840] I found another issue in nsupdate. > > > > If using GSSAPI, then queries for TKEY are always sent to the servers > > specified in the /etc/resolv.conf instead to the master server for the > > zone. If the server is specified explicitly as 'server' option, Queries > > are sent to the correct server. > > > > The problem is that the code in GSSAPI specific paths was not modified > > to cope with changes done in upstream ticket RT#37925, especially the > > use of master_servers instead of servers. > > > > I'm attaching packet dumps for illustration what happened: > > - without fix and without explicit 'server' option > > - without fix and with explicit 'server' option > > - with fix without explicit 'server' option > > > > I'm also attaching the patch I used and tested. Although I'm not sure if > > the code in recvgss() should be modified (as done by my patch), it > > seemed reasonable. Since As I understood the code that if TKEY query to > > the first master_server failed, it should be sent to the second one, if > > there is any. Nevertheless the changes in start_gssrequest() are the key > > to fixing the issue. > > > > Regards, > > > > Hello. > > Any updates on this issue? The bug is causing issues to FreeIPA project in Fedora, which uses nsupdate. I would like to kindly ask you to review the patch I sent with the original report. If there are any changes needed for the fix to be merged, please let me know. > > Thank you. > > Regards, > Hello. Any updates on this issue? I would like to ask if there is anything blocking the merge of the patch I provided in the initial report? Thank you. Regards, -- Tomas Hozza Associate Manager, Software Engineering - EMEA ENG Mainstream RHEL PGP: 1D9F3C2D UTC+1 (CET) Red Hat Inc. http://cz.redhat.com
# Wed, 01 Mar 2017 16:16:11 -0500 Evan Hunt <Evan_Hunt@isc.org> - Subject changed from 'nsupdate: Queries for TKEY are sent to wrong server when using GSSAPI' to '[PATCH] nsupdate: Queries for TKEY are sent to wrong server when using GSSAPI'
# Wed, 01 Mar 2017 16:16:12 -0500 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'new' to 'open'
# Wed, 01 Mar 2017 16:17:24 -0500 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 143B
My apologies, Tomas, we seem to have lost track of this ticket. I'll review it soon. (BTW I've updated the subject header to include [PATCH].)
# Wed, 01 Mar 2017 16:17:34 -0500 Evan Hunt <Evan_Hunt@isc.org> - Taken
# Fri, 24 Mar 2017 14:35:09 -0400 Evan Hunt <Evan_Hunt@isc.org> - Queue changed from #6 to #7
# Thu, 20 Apr 2017 12:31:22 -0400 Evan Hunt <Evan_Hunt@isc.org> - Version Fixed 9.12.0,9.11.2,9.10.6,9.9.11 added
# Thu, 20 Apr 2017 12:31:22 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added [Reply] [Comment]
Download (untitled) / with headers
text/plain 160B
4588. [bug] nsupdate could send queries for TKEY to the wrong server when using GSSAPI. Thanks to Tomas Hozza. [RT #39893] 9.12, 9.11.2, 9.10.6, 9.9.10
# Thu, 20 Apr 2017 12:31:23 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
# Fri, 07 Jul 2017 19:57:50 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #7 to bind9-public
# Wed, 26 Jul 2017 00:12:25 -0400 Mark Andrews <marka@isc.org> - Component BIND Server changed to BIND Utilities
# Wed, 26 Jul 2017 00:12:26 -0400 Mark Andrews <marka@isc.org> - Version Fixed 9.12.0,9.11.2,9.10.6,9.9.11 changed to 9.12.0,9.11.2,9.10.6,9.9.11,9.9.11-S1, 9.10.6-S1
# Wed, 26 Jul 2017 00:12:26 -0400 Mark Andrews <marka@isc.org> - Severity S2 Normal added
# Wed, 26 Jul 2017 00:12:26 -0400 Mark Andrews <marka@isc.org> - Priority P2 Normal added
# Fri, 28 Jul 2017 23:43:57 -0400 Mark Andrews <marka@isc.org> - Version Fixed 9.12.0,9.11.2,9.10.6,9.9.11,9.9.11-S1, 9.10.6-S1 changed to 9.9.11, 9.9.11-S1, 9.10.6, 9.10.6-S1, 9.11.2, 9.12.0