View Issue Details

IDProjectCategoryView StatusLast Update
0017761CentOS-8ipapublic2020-12-20 21:26
Reportergtuminauskas Assigned To 
PrioritynormalSeveritytweakReproducibilityalways
Status newResolutionopen 
Product Version8.2.2004 
Summary0017761: Set allow-recursion by default in IPA DNS
Descriptionnamed service has missing option:
```
// Any host is permitted to issue recursive queries
    allow-recursion { any; };
```


This is the same bug, which was fixed many years ago
https://pagure.io/freeipa/issue/1335
https://bugzilla.redhat.com/show_bug.cgi?id=713798

Steps To ReproduceQuery originator: 10.1.1.2/24
IDM/Named: 10.1.2.2/24
When checking a DNS 'A' record from a different subnet than the IDM server resides, it answers only for zones which it has locally
Named does not answer queries returned by global forwarders to other local subnets
Additional Information# rpm -qi ipa-server | head
Name : ipa-server
Version : 4.8.4
Release : 7.module_el8.2.0+374+0d2d74a1
Architecture: x86_64
Install Date: Mon 28 Sep 2020 10:07:57 AM EEST
Group : Unspecified
Size : 1082187
License : GPLv3+
Signature : RSA/SHA256, Sun 31 May 2020 12:28:39 AM EEST, Key ID 05b555b38483c65d
Source RPM : ipa-4.8.4-7.module_el8.2.0+374+0d2d74a1.src.rpm

# uname -srvmpio
Linux 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Tags"freeipa", "ipa", "named"

Activities

alatteri

alatteri

2020-12-16 22:12

reporter   ~0038093

I'd like to jump on here with a #metoo
gtuminauskas

gtuminauskas

2020-12-18 12:29

reporter   ~0038108

it may not be a bug, but misconfiguration
can be fixed this way:

tail -1 /etc/named/ipa-options-ext.conf
```
allow-recursion { any; };
```
alatteri

alatteri

2020-12-19 11:24

reporter   ~0038115

Yes, that is what I am doing too. But as you pointed out, it seems to have been added to RHEL IPA almost 10 years ago. Don't know if it got dropped along the way after that, or never added to CentOS iPA.
alatteri

alatteri

2020-12-19 11:32

reporter   ~0038116

Looks like this was removed in IPA 4.8. I don't know if that was accidental or on purpose.
There is this. https://pagure.io/freeipa/issue/6363
alatteri

alatteri

2020-12-19 11:33

reporter   ~0038117

and this https://bugzilla.redhat.com/show_bug.cgi?id=1319404#c2
alatteri

alatteri

2020-12-19 11:36

reporter   ~0038118

this is the commit that removed:
https://pagure.io/freeipa/c/a5cbdb57e50cfc62f61affda19ce878b2abd33de?branch=master
alatteri

alatteri

2020-12-19 11:38

reporter   ~0038119

sorry, it is thus one:
https://pagure.io/freeipa/c/6c2710446718828e6840ac34ea6fc704ae6790db?branch=master
gtuminauskas

gtuminauskas

2020-12-20 21:22

reporter   ~0038125

I guess, my description was not right after all, it supposed to be like this for local trusted networks:
allow-recursion {trusted_network;localnets;};

though, when querying ipa named for PTR, it returns an empty record
host@10.1.1.2# dig a google.com @192.168.0.2

so basically, what was removed, it disallows recursion queries even for localnets :/
gtuminauskas

gtuminauskas

2020-12-20 21:26

reporter   ~0038126

Both commands return empty answers:
```
host@10.1.1.2# dig a one.one.one.one @192.168.0.2
host@10.1.1.2# dig -x 1.1.1.1 @192.168.0.2
```

Issue History

Date Modified Username Field Change
2020-09-29 10:56 gtuminauskas New Issue
2020-09-29 10:56 gtuminauskas Tag Attached: "freeipa"
2020-09-29 10:56 gtuminauskas Tag Attached: "ipa"
2020-09-29 10:56 gtuminauskas Tag Attached: "named"
2020-12-16 22:12 alatteri Note Added: 0038093
2020-12-18 12:29 gtuminauskas Note Added: 0038108
2020-12-19 11:24 alatteri Note Added: 0038115
2020-12-19 11:32 alatteri Note Added: 0038116
2020-12-19 11:33 alatteri Note Added: 0038117
2020-12-19 11:36 alatteri Note Added: 0038118
2020-12-19 11:38 alatteri Note Added: 0038119
2020-12-20 21:22 gtuminauskas Note Added: 0038125
2020-12-20 21:26 gtuminauskas Note Added: 0038126