Red Hat Training

A Red Hat training course is available for Red Hat Linux

5.14. bind-dyndb-ldap

An updated bind-dyndb-ldap package that fixes one security issue is now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.

Security Fix

CVE-2012-3429
A flaw was found in the way bind-dyndb-ldap performed the escaping of names from DNS requests for use in LDAP queries. A remote attacker able to send DNS queries to a named server that is configured to use bind-dyndb-ldap could use this flaw to cause named to exit unexpectedly with an assertion failure.
Red Hat would like to thank Sigbjorn Lie of Atea Norway for reporting this issue.
All bind-dyndb-ldap users should upgrade to this updated package, which contains a backported patch to correct this issue. For the update to take effect, the named service must be restarted.
An updated bind-dyndb-ldap package which provides a number of bug fixes and enhancements is now available for Red Hat Enterprise Linux 6.
The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.

Note

The bind-dyndb-ldap package has been upgraded to upstream version 1.1.0b2, which provides a number of bug fixes and enhancements over the previous version (BZ#767486).

Bug Fixes

BZ#751776
The bind-dyndb-ldap plug-in refused to load an entire zone when it contained an invalid Resource Record (RR) with the same Fully Qualified Domain Name (FQDN) as the zone name (for example an MX record). With this update, the code for parsing Resource Records has been improved. If an invalid RR is encountered, an error message Failed to parse RR entry is logged and the zone continues to load successfully.
BZ#767489
When the first connection to an LDAP server failed, the bind-dyndb-ldap plug-in did not try to connect again. Consequently, users had to execute the "rndc reload" command to make the plug-in work. With this update, the plug-in periodically retries to connect to an LDAP server. As a result, user intervention is no longer required and the plug-in works as expected.
BZ#767492
When the zone_refresh period timed out and a zone was removed from the LDAP server, the plug-in continued to serve the removed zone. With this update, the plug-in no longer serves zones which have been deleted from LDAP when the zone_refresh parameter is set.
BZ#789356
When the named daemon received the rndc reload command or a SIGHUP signal and the plug-in failed to connect to an LDAP server, the plug-in caused named to terminate unexpectedly when it received a query which belonged to a zone previously handled by the plug-in. This has been fixed, the plug-in no longer serves its zones when connection to LDAP fails during reload and no longer crashes in the scenario described.
BZ#796206
The plug-in terminated unexpectedly when named lost connection to an LDAP server for some time, then reconnected successfully, and some zones previously present had been removed from the LDAP server. The bug has been fixed and the plug-in no longer crashes in the scenario described.
BZ#805871
Certain string lengths were incorrectly set in the plug-in. Consequently, the Start of Authority (SOA) serial number and expiry time were incorrectly set for the forward zone during ipa-server installation. With this update, the code has been improved and the SOA serial number and expiry time are set as expected.
BZ#811074
When a Domain Name System (DNS) zone was managed by a bind-dyndb-ldap plugin and a sub-domain was delegated to another DNS server, the plug-in did not put A or AAAA glue records in the additional section of a DNS answer. Consequently, the delegated sub-domain was not accessible by other DNS servers. With this update, the plug-in has been fixed and now returns A or AAAA glue records of a delegated sub-domain in the additional section. As a result, delegated zones are correctly resolvable in the scenario described.
BZ#818933
Previously, the bind-dyndb-ldap plug-in did not escape non-ASCII characters in incoming DNS queries correctly. Consequently, the plug-in failed to send answers for queries which contained non-ASCII characters such as ,. The plug-in has been fixed and now correctly returns answers for queries with non-ASCII characters.

Enhancements

BZ#733371
The bind-dyndb-ldap plug-in now supports two new attributes, idnsAllowQuery and idnsAllowTransfer, which can be used to set ACLs for queries or transfers. Refer to /usr/share/doc/bind-dyndb-ldap/README for information on the attributes.
BZ#754433
The plug-in now supports the new zone attributes idnsForwarders and idnsForwardPolicy which can be used to configure forwarding. Refer to /usr/share/doc/bind-dyndb-ldap/README for a detailed description.
BZ#766233
The plug-in now supports zone transfers.
BZ#767494
The plug-in has a new option called sync_ptr that can be used to keep A and AAAA records and their PTR records synchronized. Refer to /usr/share/doc/bind-dyndb-ldap/README for a detailed description.
BZ#795406
It was not possible to store configuration for the plug-in in LDAP and configuration was only taken from the named.conf file. With this update, configuration information can be obtained from idnsConfigObject in LDAP. Note that options set in named.conf have lower priority than options set in LDAP. The priority will change in future updates. Refer to the README file for more details.
Users of bind-dyndb-ldap package should upgrade to this updated package, which fixes these bugs and adds these enhancements.