Bug#175965: marked as done (bind9 refuses to honor allow-transfer ACL if it listens to an ipv6 address)

Debian Bug Tracking System Sun, 22 Oct 2017 04:22:51 -0700

Your message dated Sun, 22 Oct 2017 13:19:11 +0200
with message-id 
<1508671151.815349.1146906880.773a8...@webmail.messagingengine.com>
and subject line Closing bugs in old-old-stable bind9 versions
has caused the Debian Bug report #175965,
regarding bind9 refuses to honor allow-transfer ACL if it listens to an ipv6 
address
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
175965: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=175965
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: bind9
Version: 1:9.2.1-2.woody.1
Severity: important

bind9 refuses all transfers with this configuration (excerpt)

acl "interne" {
        { localhost; 62.4.22.232/29; 192.168.0.0/24; };
};

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you might need to uncomment the query-source
        // directive below.  Previous versions of BIND always asked
        // questions using port 53, but BIND 8.1 and later use an unprivileged
        // port by default.

        query-source address * port 53;

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

         forwarders {
                62.4.16.70;
                62.4.16.80;
         };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 {any;};
        allow-recursion {interne;};
        allow-query     {interne;};
        allow-transfer  {interne;};
};

zone "morinfr.org" {
        type slave;
        masters { 80.65.228.129; };
        file "/etc/bind/db.morinfr";
        allow-query { any; };
};

e.g (bender.morinfr.org is the host running bind9) :

guillaum@oyster:~$ host -l morinfr.org bender.morinfr.org
morinfr.org AXFR record query refused by bender.morinfr.org
No nameservers for morinfr.org responded
guillaum@oyster:~$ ip addr show
(snip)
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:40:05:a6:7f:de brd ff:ff:ff:ff:ff:ff
    inet 62.4.22.234/29 brd 62.4.22.239 scope global eth0

In the log, you can read :

Jan  9 10:20:55 bender named[1006]: client ::ffff:62.4.22.234#33827:
zone transfer 'morinfr.org/IN' denied

As you can see, the refused address is in the ACL statement but for some
reasons is considered as an IPv6 address. This is not the case for at
least allow-query or allow-recursion

Indeed the other allow-* statement work correctly e.g :

guillaum@oyster:~$ host -r www.gnu.org bender.morinfr.org  
www.gnu.org A record currently not present at bender.morinfr.org
guillaum@oyster:~$ host www.gnu.org bender.morinfr.org 
www.gnu.org             A       199.232.41.10
guillaum@oyster:~$

If I comment out the 'listen-on-v6' line and restart bind, the transfer
works correctly :

guillaum@oyster:~$ host -l morinfr.org bender.morinfr.org
morinfr.org.            NS      ns1.morinfr.org.
morinfr.org.            NS      bender.morinfr.org.
bender.morinfr.org.     A       62.4.22.236
(snip)
guillaum@oyster:~$

This behavior is 100% reproducible on this box.

HTH.

Guillaume.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux bender 2.4.20 #10 ven nov 29 15:03:22 CET 2002 i686
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro

Versions of packages bind9 depends on:
ii  libc6                  2.2.5-11.2        GNU C Library: Shared libraries an
ii  libdns5                1:9.2.1-2.woody.1 DNS Shared Library used by BIND
ii  libisc4                1:9.2.1-2.woody.1 ISC Shared Library used by BIND
ii  libisccc0              1:9.2.1-2.woody.1 Command Channel Library used by BI
ii  libisccfg0             1:9.2.1-2.woody.1 Config File Handling Library used 
ii  liblwres1              1:9.2.1-2.woody.1 Lightweight Resolver Library used 
ii  libssl0.9.6            0.9.6c-2.woody.1  SSL shared libraries
ii  netbase                4.07              Basic TCP/IP networking system

--- End Message ---

--- Begin Message ---

Version: 1:9.10.3.dfsg.P4-12.3

Hi,

the bind9 bug list grew too much and the Debian BIND team cannot
simply test all the reported bugs against versions not in stable, so
this is mass bug close, as either the version is no longer relevant
(because of old-old-stable 9.8.x or old-stable 9.9.5 or even older
version of bind9) or the bug was already fixed.

However, if you can reproduce the bug with a current version in stable,
please use Debian BTS 'found <bug> <version_you_reproduced_the_issue>'
command to retag the bug and reopen it.

Cheers,
Ondrej

signature.asc
Description: PGP signature

--- End Message ---

Bug#175965: marked as done (bind9 refuses to honor allow-transfer ACL if it listens to an ipv6 address)

Reply via email to