Bug#966497: Buster: update-policy { grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt; } is not handled correctly

Wed, 29 Jul 2020 04:21:24 -0700 

Package: bind9
Version: 1:9.11.5.P4+dfsg-5.1+deb10u1

Problem:
update-policy { grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt; } is 
not handled correctly

Debian Stretch (9.10.3) doesn't have this issue. 

It is also possible to change entries in DOMAIN.TLD

Configuration part:

include "/etc/bind/dev.key";

zone DOMAIN.TLD {
        type master;
        file "/var/lib/bind/zones/DOMAIN.TLD";
        key-directory "/var/lib/bind/keys";
        masterfile-format raw;
        update-policy {
                grant dhcp zonesub a dhcid;
                grant local-ddns zonesub any;
                grant dev.DOMAIN.TLD subdomain dev.DOMAIN.TLD a aaaa txt;
        };

        allow-transfer {
                local;
        };
};

nsupdate key:

cat /etc/bind/dev.key 
key "dev.DOMAIN.TLD" {
        algorithm hmac-sha512;
        secret "******";
};


What is seen on Debian Buster:

nsupdate -k dev.key
> server 192.168.122.129
> ttl 3600
> update add test3.dev.DOMAIN.TLD a 192.0.2.3
> send
> update add test.DOMAIN.TLD a 192.0.2.1
> send

Logging: 
Jul 28 16:48:59 debian10-bind named[5894]: client @0x7f5718000c80 
192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding 
an RR at 'test3.dev.DOMAIN.de' A 192.0.2.3
Jul 28 16:48:59 debain10-bind named[5894]: zone DOMAIN.de/IN: sending notifies 
(serial 2020050521)
Jul 28 16:49:07 debian10-bind named[5894]: client @0x7f5718000c80 
192.168.122.1#40886/key dev.DOMAIN.TLD: updating zone 'DOMAIN.de/IN': adding 
an RR at 'test.DOMAIN.de' A 192.0.2.1
Jul 28 16:49:07 debian10-bind named[5894]: zone DOMAIN.de/IN: sending notifies 
(serial 2020050522)


How it should look like, Debian Stretch:

nsupdate -k dev.key
> server 192.168.122.40
> ttl 3600
> update add test5.dev.credativ.de a 192.0.2.5   
> send
> update add test5.credativ.de a 192.0.2.5
> send
update failed: REFUSED

Logging:
Jul 29 11:37:00 debian9-bind named[515]: client 192.168.122.1#49684/key 
dev.credativ.de: updating zone 'credativ.de/IN': adding an RR at 
'test5.dev.credativ.de' A 192.0.2.5
Jul 29 11:37:00 debian9-bind named[515]: zone credativ.de/IN: sending notifies 
(serial 2020050522)
Jul 29 11:37:16 debian9-bind named[515]: client 192.168.122.1#49684/key 
dev.credativ.de: updating zone 'credativ.de/IN': update failed: rejected by 
secure update (REFUSED)


A isc issue (bug report) has been created: 
https://gitlab.isc.org/isc-projects/bind9/-/issues/2055

Regards,
 
Joop Boonen

Tel.: +49 2166 9901-0
Fax: +49 2166 9901-100
E-Mail: joop.boo...@credativ.de
pgp fingerprint: 9130 2E95 0D0E 1721 EB23 7270 C2C6 B28E 7EA7 F0A4
https://www.credativ.de
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Trompeterallee 108, 41189 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Unser Umgang mit personenbezogenen Daten unterliegt
folgenden Bestimmungen: https://www.credativ.de/datenschutz
**********************************************
Jetzt neu: 
Elephant Shed - PostgreSQL Appliance
PostgreSQL und alles was dazugehört
Von Backup über Monitoring bis Reporting: 
https://elephant-shed.io/index.de.html
**********************************************

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to