Bug 1060349

Summary: IPA: Unable to add host when ipv6 address already exits
Product: Red Hat Enterprise Linux 7 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dpal, mnavrati, pviktori, rcritten, rmainz, tbabej
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Known Issue
Doc Text:
The "ipa host-add" command does not verify the existence of AAAA records. As a consequence, "ipa host-add" fails if no A record is available for the host even if an AAAA record exists. To work around this problem, run "ipa host-add" with the "--force" option.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:10:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1168850    

Description Jenny Severance 2014-01-31 21:44:53 UTC 
Description of problem:
If you add ipv6 address for a host and then try to add the host, it fails with an error message that the ipv4 address does not exist.
ipa: ERROR: Host does not have corresponding DNS A record


Automated Testing Results

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-089: Delete host without deleting DNS Record
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:40:40 ] ::  IPv6 address is 2620:52:0:1060:10:16ff:fe98:245
:: [ 15:40:40 ] ::  Reverse zone: 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
------------------------------------------
Deleted host "mytestipv6host.testrelm.com"
------------------------------------------
:: [ 15:40:42 ] ::  Host mytestIPv6host.testrelm.com deleted successfully.
:: [   PASS   ] :: Deleting host without deleting DNS entries (Expected 0, got 0)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.GBFCZoR4wL/forward_dns_3.out' should contain 'AAAA record: 2620:52:0:1060:ffff:16ff:fe98:245' 
:: [ 15:40:44 ] ::  Final digit.
  Record name: 5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f
  PTR record: mytestipv6host.testrelm.com.
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-090: Add host without force option - DNS Record Exists
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:40:46 ] ::  IPv6 address is 2620:52:0:1060:10:16ff:fe98:245
:: [ 15:40:46 ] ::  Reverse zone: 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
:: [ 15:40:46 ] ::  EXECUTING: ipa host-add --ip-address=2620:52:0:1060:ffff:16ff:fe98:245 mytestIPv6host.testrelm.com
ipa: ERROR: Host does not have corresponding DNS A record
:: [   FAIL   ] :: Add host DNS entries exist (Expected 0, got 1)
---------------
0 hosts matched
---------------
----------------------------
Number of entries returned 0
----------------------------
:: [ 15:40:49 ] ::  WARNING: Failed to find host.
:: [   FAIL   ] :: Verifying host was added when DNS records exist. (Expected 0, got 1)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.GBFCZoR4wL/forward_dns_4.out' should contain 'AAAA record: 2620:52:0:1060:ffff:16ff:fe98:245' 
:: [ 15:40:51 ] ::  Final digit.
  Record name: 5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f
  PTR record: mytestipv6host.testrelm.com.
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)
ipa: ERROR: mytestipv6host.testrelm.com: host not found
:: [ 15:40:54 ] ::  WARNING: Deleting host mytestIPv6host.testrelm.com failed.
:: [   FAIL   ] :: Deleting host without deleting DNS entries (Expected 0, got 2)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.GBFCZoR4wL/forward_dns_41.out' should contain 'AAAA record: 2620:52:0:1060:ffff:16ff:fe98:245' 
:: [   PASS   ] :: Checking nslookup output (Expected 0, got 0)
:: [ 15:41:06 ] ::  nslookup_msg=name = mytestipv6host.testrelm.com
Server:		10.16.98.245
Address:	10.16.98.245#53

5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f.0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa	name = mytestipv6host.testrelm.com.

:: [   PASS   ] :: Running 'cat  /tmp/tmp.GBFCZoR4wL/nslookup_2_output.out' (Expected 0, got 0)
5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f.0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa	name = mytestipv6host.testrelm.com.
:: [   PASS   ] :: nslookup shows IPAddress exist 


Version-Release number of selected component (if applicable):
ipa-server-3.3.3-13.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. add ipv6 reverse zone
# ipa dnszone-add 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. --admin-email=admin --name-server `hostname`.
  Zone name: 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
  Authoritative nameserver: ipaqa64vmj.testrelm.com.
  Administrator e-mail address: admin.example.com.
  SOA serial: 1391202431
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-subdomain 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. PTR;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

2. make sure the record exists

# ipa dnsrecord-find --name=mytestipv6host
Zone name: testrelm.com    
  Record name: mytestipv6host
  AAAA record: 2620:52:0:1060:ffff:16ff:fe98:245
----------------------------
Number of entries returned 1

# ipa dnsrecord-find
Zone name: 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
  Record name: 5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f
  PTR record: mytestipv6host.testrelm.com.

  Record name: @
  NS record: ipaqa64vmj.testrelm.com.
----------------------------
Number of entries returned 2
----------------------------

Make sure the host does not exist

# ipa host-find mytestipv6host.testrelm.com
---------------
0 hosts matched
---------------
----------------------------
Number of entries returned 0

3. Try to add the host

]# ipa host-add mytestipv6host.testrelm.com
ipa: ERROR: Host does not have corresponding DNS A record

]# ipa host-add --ip-address=2620:52:0:1060:ffff:16ff:fe98:245 mytestIPv6host.testrelm.com
ipa: ERROR: IP address 2620:52:0:1060:ffff:16ff:fe98:245 is already assigned in domain testrelm.com.

Only one host exists ..

# ipa host-find
--------------
1 host matched
--------------
  Host name: ipaqa64vmj.testrelm.com
  Principal name: host/ipaqa64vmj.testrelm.com
  Password: False
  Keytab: True
  Managed by: ipaqa64vmj.testrelm.com
  SSH public key fingerprint: 5F:66:46:2F:6A:86:D1:D4:94:9F:54:66:9D:3B:24:CF (ecdsa-sha2-nistp256), 22:8B:BF:E8:56:62:E3:E3:93:B7:36:3F:67:3D:0B:C9 (ssh-rsa)
----------------------------
Number of entries returned 1


Actual results:
Can not add host

Expected results:
Host add command recognizes that the dns record exist - should behave the same as when adding with ipv4 address already exist

Additional info:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-47 Delete host without deleting DNS Record
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Host myhost.testrelm.com deleted successfully.
:: [   PASS   ] :: Deleting host without deleting DNS entries (Expected 0, got 0)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-host-cli-47 Delete host without deleting DNS Record

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-48 Add host without force option - DNS Record Exists
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: EXECUTING: ipa host-add myhost.testrelm.com
:: [   PASS   ] :: Add host DNS entries exist (Expected 0, got 0)
:: [   LOG    ] :: Host name is as expected.
:: [   LOG    ] :: Principal name is as expected.
:: [   PASS   ] :: Verifying host was added when DNS records exist. (Expected 0, got 0)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-host-cli-48 Add host without force option - DNS Record Exists
Comment 1 Rob Crittenden 2014-01-31 22:22:59 UTC 
Well, I guess from one perspective the error is very clear: there is no A record, just an AAAA record. So I guess the question is, should we extend this test to look for both A and AAAA recoreds? Is that what you're proposing?
Comment 2 Dmitri Pal 2014-02-01 19:22:34 UTC 
(In reply to Rob Crittenden from comment #1)
> Well, I guess from one perspective the error is very clear: there is no A
> record, just an AAAA record. So I guess the question is, should we extend
> this test to look for both A and AAAA records? Is that what you're
> proposing?

If I read it right the command fails if the AAAA for the same host is created manually in advance. IMO the logic would be 
a) To check both A and AAAA records when the host is added without specific address. In this case the first attempt to add the host would see that there is already an entry and if the entry with the same name it should proceed. If the entry is with a different name it should fail as now.
Comment 3 Martin Kosek 2014-02-06 09:26:01 UTC 
I think we just want to change the check in host-add command to check both A and AAAA records, as Rob said (by doing DNS resolve query, not searching for records in IPA DNS).

Currently, host-add does not respect IPv6-only networks and fails with the described error as it only checks IPv4 address. When host has already IPv6 address defined, admin would always need to add hosts with --force flag to workaround it.

I will file an upstream ticket.
Comment 4 Martin Kosek 2014-02-06 09:26:21 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4164
Comment 6 Petr Viktorin (pviktori) 2014-08-11 14:05:13 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ca001814abe533f19498d4207b5233eff17549a5
https://fedorahosted.org/freeipa/changeset/4b5a4882497ce7c3ecdf8f898fc695b2309df1b5
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/ca001814abe533f19498d4207b5233eff17549a5
https://fedorahosted.org/freeipa/changeset/4b5a4882497ce7c3ecdf8f898fc695b2309df1b5
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/85b2c786bf53eb2882ab0db2b2cc23ec273b4020
https://fedorahosted.org/freeipa/changeset/2fa1555722ed875a32d3480ea08c5ad420a015a6
Comment 8 Namita Soman 2015-01-26 05:37:38 UTC 
Verified automated test passed using ipa-server-4.1.0-15.el7.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-089: Delete host without deleting DNS Record
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 00:31:47 ] :: IPv6 address is 2620:52:0:1007:221:5eff:fe86:834
:: [ 00:31:47 ] :: Reverse zone: 7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
:: [  BEGIN   ] :: Deleting host without deleting DNS entries :: actually running 'deleteHost mytestIPv6host.testrelm.test'
-------------------------------------------
Deleted host "mytestipv6host.testrelm.test"
-------------------------------------------
:: [ 00:31:49 ] :: Host mytestIPv6host.testrelm.test deleted successfully.
:: [   PASS   ] :: Deleting host without deleting DNS entries (Expected 0, got 0)
:: [  BEGIN   ] :: Checking for forward DNS entry :: actually running 'ipa dnsrecord-find testrelm.test mytestIPv6host > /tmp/tmp.lX7g8QbUBW/forward_dns_3.out'
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.lX7g8QbUBW/forward_dns_3.out' should contain 'AAAA record: 2620:52:0:1007:ffff:5eff:fe86:834' 
:: [ 00:31:50 ] :: Final digit.
:: [  BEGIN   ] :: Checking for reverse DNS entry :: actually running 'ipa dnsrecord-find 7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. 4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f'
  Record name: 4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f
  PTR record: mytestipv6host.testrelm.test.
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-090: Add host without force option - DNS Record Exists bz1060349
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 00:31:52 ] :: IPv6 address is 2620:52:0:1007:221:5eff:fe86:834
:: [ 00:31:53 ] :: Reverse zone: 7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
:: [ 00:31:53 ] :: EXECUTING: ipa host-add --ip-address=2620:52:0:1007:ffff:5eff:fe86:834 mytestIPv6host.testrelm.test
:: [  BEGIN   ] :: Add host DNS entries exist :: actually running 'ipa host-add mytestIPv6host.testrelm.test'
-----------------------------------------
Added host "mytestipv6host.testrelm.test"
-----------------------------------------
  Host name: mytestipv6host.testrelm.test
  Principal name: host/mytestipv6host.testrelm.test
  Password: False
  Keytab: False
  Managed by: mytestipv6host.testrelm.test
:: [   PASS   ] :: Add host DNS entries exist (Expected 0, got 0)
:: [  BEGIN   ] :: Verifying host was added when DNS records exist. :: actually running 'findHost mytestIPv6host.testrelm.test'
--------------
1 host matched
--------------
  Host name: mytestipv6host.testrelm.test
  Principal name: host/mytestipv6host.testrelm.test
  Password: False
  Keytab: False
  Managed by: mytestipv6host.testrelm.test
----------------------------
Number of entries returned 1
----------------------------
-------------- 1 host matched -------------- Host name: mytestipv6host.testrelm.test Principal name: host/mytestipv6host.testrelm.test Password: False Keytab: False Managed by: mytestipv6host.testrelm.test ---------------------------- Number of entries returned 1 ----------------------------
:: [ 00:31:57 ] :: Host name is as expected.
-------------- 1 host matched -------------- Host name: mytestipv6host.testrelm.test Principal name: host/mytestipv6host.testrelm.test Password: False Keytab: False Managed by: mytestipv6host.testrelm.test ---------------------------- Number of entries returned 1 ----------------------------
:: [ 00:31:57 ] :: Principal name is as expected.
:: [   PASS   ] :: Verifying host was added when DNS records exist. (Expected 0, got 0)
:: [  BEGIN   ] :: Checking for forward DNS entry :: actually running 'ipa dnsrecord-find testrelm.test mytestIPv6host > /tmp/tmp.lX7g8QbUBW/forward_dns_4.out'
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.lX7g8QbUBW/forward_dns_4.out' should contain 'AAAA record: 2620:52:0:1007:ffff:5eff:fe86:834' 
:: [ 00:31:59 ] :: Final digit.
:: [  BEGIN   ] :: Checking for reverse DNS entry :: actually running 'ipa dnsrecord-find 7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. 4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f'
  Record name: 4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f
  PTR record: mytestipv6host.testrelm.test.
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)
:: [  BEGIN   ] :: Deleting host without deleting DNS entries :: actually running 'deleteHost mytestIPv6host.testrelm.test'
-------------------------------------------
Deleted host "mytestipv6host.testrelm.test"
-------------------------------------------
:: [ 00:32:01 ] :: Host mytestIPv6host.testrelm.test deleted successfully.
:: [   PASS   ] :: Deleting host without deleting DNS entries (Expected 0, got 0)
:: [  BEGIN   ] :: Checking for forward DNS entry :: actually running 'ipa dnsrecord-find testrelm.test mytestIPv6host > /tmp/tmp.lX7g8QbUBW/forward_dns_41.out'
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.lX7g8QbUBW/forward_dns_41.out' should contain 'AAAA record: 2620:52:0:1007:ffff:5eff:fe86:834' 
:: [  BEGIN   ] :: Checking nslookup output :: actually running 'nslookup 2620:52:0:1007:ffff:5eff:fe86:834  > /tmp/tmp.lX7g8QbUBW/nslookup_2_output.out'
:: [   PASS   ] :: Checking nslookup output (Expected 0, got 0)
:: [ 00:32:13 ] :: nslookup_msg=name = mytestipv6host.testrelm.test
:: [  BEGIN   ] :: Running 'cat  /tmp/tmp.lX7g8QbUBW/nslookup_2_output.out'
Server:		127.0.0.1
Address:	127.0.0.1#53

4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f.7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa	name = mytestipv6host.testrelm.test.

:: [   PASS   ] :: Command 'cat  /tmp/tmp.lX7g8QbUBW/nslookup_2_output.out' (Expected 0, got 0)
4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f.7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa	name = mytestipv6host.testrelm.test.
:: [   PASS   ] :: nslookup shows IPAddress exist
Comment 10 errata-xmlrpc 2015-03-05 10:10:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html