Bug 14321 - Bind_dlz does not provide ACLs support for its zones and dynamic update does not work
Summary: Bind_dlz does not provide ACLs support for its zones and dynamic update does ...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS plugin (BIND DLZ) (show other bugs)
Version: 4.12.0rc4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Amitay Isaacs
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-16 09:18 UTC by Dario Lesca
Modified: 2020-09-12 00:12 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dario Lesca 2020-03-16 09:18:57 UTC
Since Samba bind_dlz implementation does not provide ACLs support for the
zones it manages, dynamically updating those zones does not work.

Technical details by Alexander Bokovoy reported in this tread:
https://lists.samba.org/archive/samba-technical/2020-March/134952.html

In bin/named/update.c, update_action() code starts with:

        CHECK(dns_zone_getdb(zone, &db));
        zonename = dns_db_origin(db);
        zoneclass = dns_db_class(db);
        dns_zone_getssutable(zone, &ssutable);

        /*
         * Update message processing can leak record existance information
         * so check that we are allowed to query this zone.  Additionally
         * if we would refuse all updates for this zone we bail out here.
         */
        CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
                            dns_zone_getupdateacl(zone), ssutable));

The message you see 'client ...: update ... denied' comes from
checkqueryacl()'s call:

...
       } else if (updateacl == NULL && ssutable == NULL) {
                dns_name_format(zonename, namebuf, sizeof(namebuf));
                dns_rdataclass_format(client->view->rdclass, classbuf,
                                      sizeof(classbuf));

                result = DNS_R_REFUSED;
                ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
                              NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
                              "update '%s/%s' denied", namebuf, classbuf);
        }
...

So, both updateacl (result of call to dns_zone_getupdateacl(zone) above)
and ssutable are not there.