View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017761 | CentOS-8 | ipa | public | 2020-09-29 10:56 | 2020-12-20 21:26 |
Reporter | gtuminauskas | Assigned To | |||
Priority | normal | Severity | tweak | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 8.2.2004 | ||||
Summary | 0017761: Set allow-recursion by default in IPA DNS | ||||
Description | named service has missing option: ``` // Any host is permitted to issue recursive queries allow-recursion { any; }; ``` This is the same bug, which was fixed many years ago https://pagure.io/freeipa/issue/1335 https://bugzilla.redhat.com/show_bug.cgi?id=713798 | ||||
Steps To Reproduce | Query originator: 10.1.1.2/24 IDM/Named: 10.1.2.2/24 When checking a DNS 'A' record from a different subnet than the IDM server resides, it answers only for zones which it has locally Named does not answer queries returned by global forwarders to other local subnets | ||||
Additional Information | # rpm -qi ipa-server | head Name : ipa-server Version : 4.8.4 Release : 7.module_el8.2.0+374+0d2d74a1 Architecture: x86_64 Install Date: Mon 28 Sep 2020 10:07:57 AM EEST Group : Unspecified Size : 1082187 License : GPLv3+ Signature : RSA/SHA256, Sun 31 May 2020 12:28:39 AM EEST, Key ID 05b555b38483c65d Source RPM : ipa-4.8.4-7.module_el8.2.0+374+0d2d74a1.src.rpm # uname -srvmpio Linux 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux | ||||
Tags | "freeipa", "ipa", "named" | ||||
I'd like to jump on here with a #metoo | |
it may not be a bug, but misconfiguration can be fixed this way: tail -1 /etc/named/ipa-options-ext.conf ``` allow-recursion { any; }; ``` |
|
Yes, that is what I am doing too. But as you pointed out, it seems to have been added to RHEL IPA almost 10 years ago. Don't know if it got dropped along the way after that, or never added to CentOS iPA. | |
Looks like this was removed in IPA 4.8. I don't know if that was accidental or on purpose. There is this. https://pagure.io/freeipa/issue/6363 |
|
and this https://bugzilla.redhat.com/show_bug.cgi?id=1319404#c2 | |
this is the commit that removed: https://pagure.io/freeipa/c/a5cbdb57e50cfc62f61affda19ce878b2abd33de?branch=master |
|
sorry, it is thus one: https://pagure.io/freeipa/c/6c2710446718828e6840ac34ea6fc704ae6790db?branch=master |
|
I guess, my description was not right after all, it supposed to be like this for local trusted networks: allow-recursion {trusted_network;localnets;}; though, when querying ipa named for PTR, it returns an empty record host@10.1.1.2# dig a google.com @192.168.0.2 so basically, what was removed, it disallows recursion queries even for localnets :/ |
|
Both commands return empty answers: ``` host@10.1.1.2# dig a one.one.one.one @192.168.0.2 host@10.1.1.2# dig -x 1.1.1.1 @192.168.0.2 ``` |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2020-09-29 10:56 | gtuminauskas | New Issue | |
2020-09-29 10:56 | gtuminauskas | Tag Attached: "freeipa" | |
2020-09-29 10:56 | gtuminauskas | Tag Attached: "ipa" | |
2020-09-29 10:56 | gtuminauskas | Tag Attached: "named" | |
2020-12-16 22:12 | alatteri | Note Added: 0038093 | |
2020-12-18 12:29 | gtuminauskas | Note Added: 0038108 | |
2020-12-19 11:24 | alatteri | Note Added: 0038115 | |
2020-12-19 11:32 | alatteri | Note Added: 0038116 | |
2020-12-19 11:33 | alatteri | Note Added: 0038117 | |
2020-12-19 11:36 | alatteri | Note Added: 0038118 | |
2020-12-19 11:38 | alatteri | Note Added: 0038119 | |
2020-12-20 21:22 | gtuminauskas | Note Added: 0038125 | |
2020-12-20 21:26 | gtuminauskas | Note Added: 0038126 |