0017761: Set allow-recursion by default in IPA DNS - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0017761	CentOS-8	ipa	public	2020-09-29 10:56	2020-12-20 21:26

Reporter	gtuminauskas	Assigned To
Priority	normal	Severity	tweak	Reproducibility	always
Status	new	Resolution	open
Product Version	8.2.2004

Summary	0017761: Set allow-recursion by default in IPA DNS
Description	named service has missing option: ``` // Any host is permitted to issue recursive queries allow-recursion { any; }; ``` This is the same bug, which was fixed many years ago https://pagure.io/freeipa/issue/1335 https://bugzilla.redhat.com/show_bug.cgi?id=713798
Steps To Reproduce	Query originator: 10.1.1.2/24 IDM/Named: 10.1.2.2/24 When checking a DNS 'A' record from a different subnet than the IDM server resides, it answers only for zones which it has locally Named does not answer queries returned by global forwarders to other local subnets
Additional Information	# rpm -qi ipa-server \| head Name : ipa-server Version : 4.8.4 Release : 7.module_el8.2.0+374+0d2d74a1 Architecture: x86_64 Install Date: Mon 28 Sep 2020 10:07:57 AM EEST Group : Unspecified Size : 1082187 License : GPLv3+ Signature : RSA/SHA256, Sun 31 May 2020 12:28:39 AM EEST, Key ID 05b555b38483c65d Source RPM : ipa-4.8.4-7.module_el8.2.0+374+0d2d74a1.src.rpm # uname -srvmpio Linux 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Tags	"freeipa", "ipa", "named"

alatteri 2020-12-16 22:12 reporter ~0038093	I'd like to jump on here with a #metoo

gtuminauskas 2020-12-18 12:29 reporter ~0038108	it may not be a bug, but misconfiguration can be fixed this way: tail -1 /etc/named/ipa-options-ext.conf ``` allow-recursion { any; }; ```

alatteri 2020-12-19 11:24 reporter ~0038115	Yes, that is what I am doing too. But as you pointed out, it seems to have been added to RHEL IPA almost 10 years ago. Don't know if it got dropped along the way after that, or never added to CentOS iPA.

alatteri 2020-12-19 11:32 reporter ~0038116	Looks like this was removed in IPA 4.8. I don't know if that was accidental or on purpose. There is this. https://pagure.io/freeipa/issue/6363

alatteri 2020-12-19 11:33 reporter ~0038117	and this https://bugzilla.redhat.com/show_bug.cgi?id=1319404#c2

alatteri 2020-12-19 11:36 reporter ~0038118	this is the commit that removed: https://pagure.io/freeipa/c/a5cbdb57e50cfc62f61affda19ce878b2abd33de?branch=master

alatteri 2020-12-19 11:38 reporter ~0038119	sorry, it is thus one: https://pagure.io/freeipa/c/6c2710446718828e6840ac34ea6fc704ae6790db?branch=master

gtuminauskas 2020-12-20 21:22 reporter ~0038125	I guess, my description was not right after all, it supposed to be like this for local trusted networks: allow-recursion {trusted_network;localnets;}; though, when querying ipa named for PTR, it returns an empty record host@10.1.1.2# dig a google.com @192.168.0.2 so basically, what was removed, it disallows recursion queries even for localnets :/

gtuminauskas 2020-12-20 21:26 reporter ~0038126	Both commands return empty answers: ``` host@10.1.1.2# dig a one.one.one.one @192.168.0.2 host@10.1.1.2# dig -x 1.1.1.1 @192.168.0.2 ```

Date Modified	Username	Field	Change
2020-09-29 10:56	gtuminauskas	New Issue
2020-09-29 10:56	gtuminauskas	Tag Attached: "freeipa"
2020-09-29 10:56	gtuminauskas	Tag Attached: "ipa"
2020-09-29 10:56	gtuminauskas	Tag Attached: "named"
2020-12-16 22:12	alatteri	Note Added: 0038093
2020-12-18 12:29	gtuminauskas	Note Added: 0038108
2020-12-19 11:24	alatteri	Note Added: 0038115
2020-12-19 11:32	alatteri	Note Added: 0038116
2020-12-19 11:33	alatteri	Note Added: 0038117
2020-12-19 11:36	alatteri	Note Added: 0038118
2020-12-19 11:38	alatteri	Note Added: 0038119
2020-12-20 21:22	gtuminauskas	Note Added: 0038125
2020-12-20 21:26	gtuminauskas	Note Added: 0038126