[2.x] BIND config should include option "empty-zones-enable no"

Bug #1670886 reported by Nathaniel W. Turner
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MAAS
Invalid
High
Andres Rodriguez
2.2
Won't Fix
High
Andres Rodriguez

Bug Description

Somewhat recently BIND upstream changed the default behavior with respect to forwarding DNS queries matching RFC 1918 prefixes (private subnets). The new default is effectively to block such queries.

This breaks what I imagine is a common use case for MAAS: A MAAS deployment using a private address range (e.g. 10.0.4.0/24) in a larger private network (e.g. 10.0.0.0/16) with internal DNS.

If a MAAS host does a reverse (PTR) query for an address outside the range managed by MAAS, the MAAS DNS server will not forward it to any configured upstream DNS servers.

The fix is to add the following line to /etc/bind/maas/named.conf.options.inside.maas:

  empty-zones-enable no;

Currently running maas 2.1.4+bzr5591-0ubuntu

Tags: dns
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Hi Nathaniel,

I was wondering if you have upgraded to the latest MAAS 2.2.0 and whether this is still relevant?

Thanks.

Changed in maas:
milestone: none → 2.3.0
importance: Undecided → Critical
status: New → Triaged
tags: added: dns
Changed in maas:
importance: Critical → High
summary: - BIND config should include option "empty-zones-enable no"
+ [2.x] BIND config should include option "empty-zones-enable no"
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Also, the version of bind would be good to have.

Thanks

Changed in maas:
assignee: nobody → Andres Rodriguez (andreserl)
Revision history for this message
Nathaniel W. Turner (nturner) wrote : Re: [Bug 1670886] Re: [2.x] BIND config should include option "empty-zones-enable no"

Yes, I have upgraded to maas version 2.2.0+bzr6054-0ubuntu1~16.04.1 and
yes, this is still needed: I had added the aforementioned directive to my
/etc/bind/named.conf.options --- if I comment that out, the problem
returns. This is with bind9 version 1:9.10.3.dfsg.P4-8ubuntu1.6

On Tue, Jun 27, 2017 at 1:36 PM Andres Rodriguez <email address hidden>
wrote:

> Also, the version of bind would be good to have.
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1670886
>
> Title:
> [2.x] BIND config should include option "empty-zones-enable no"
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/maas/+bug/1670886/+subscriptions
>

Revision history for this message
Andres Rodriguez (andreserl) wrote :
Revision history for this message
Mike Pontillo (mpontillo) wrote :

When this issue is addressed, let's keep in mind that ISC does not recommend this workaround[1]:

"""
Although this will be effective as a workaround, administrators are urged not to just specify empty-zones-enable no;

It is much better to use one or more disable-empty-zone option declarations to disable only the RFC 1918 empty zones that are in use internally.
"""

[1]: https://deepthought.isc.org/article/AA-00800/0/Automatic-empty-zones-including-RFC-1918-prefixes.html

Revision history for this message
Nathaniel W. Turner (nturner) wrote :

Cool. Is the plan for maas to provide a way for admins to specify which RFC 1918 networks are in use at our organization and for which DNS forwarding should occur?

Changed in maas:
milestone: 2.3.0 → 2.3.x
Revision history for this message
Adam Collard (adam-collard) wrote :

This bug has not seen any activity in the last 6 months, so it is being automatically closed.

If you are still experiencing this issue, please feel free to re-open.

MAAS Team

Changed in maas:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.