Bug 1139778
| Summary: | Records deleted when connection to LDAP is down are not refreshed properly | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Spacek <pspacek> |
| Component: | bind-dyndb-ldap | Assignee: | Petr Spacek <pspacek> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | mnavrati, pspacek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bind-dyndb-ldap-7.99-1.GIT158e95e.el7 | Doc Type: | Known Issue |
| Doc Text: |
The latest version of the bind-dyndb-ldap system plug-in offers significant improvements over the previous versions, but has some currently certain limitations. One of the limitations is that certain data is not synchronized correctly when the connection to the LDAP server is down. As a consequence, DNS records removed from LDAP are not sometimes removed from the DNS zone until the named daemon is reloaded. After reloading the named daemon, updated records are served correctly.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 10:21:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1168850, 1179458 | ||
|
Description
Petr Spacek
2014-09-09 15:30:52 UTC
Know Issue text was added. Fixed upstream: 57e87e325bbfe60709a53c8d5422339bb5f2b664, b476041bd6a88b88cd1739e61960a666868e1b23, 77ecee87f551567b94bd26290c734c7feb5ed93f, c727f40cae75b9f2e05f2789bade937c90202f11, 783b04c87575205388a1277da8b46a781508f4a7, 9b4a6373c868f8858253d5e9bf850e1cbbed2a7f This bug was fixed and the fix is documented as part of rebase bug 1204110. Following steps to verify from https://fedorahosted.org/bind-dyndb-ldap/ticket/128#comment:5 1> Add a zone # ipa dnszone-add --name-server=mgmt9.testrelm.test. --admin-email=ipaqar.redhat.com --serial=2010010701 --refresh=303 --retry=101 --expire=1202 --minimum=33 --ttl=55 newzone 2> Add a record to a zone # ipa dnsrecord-add newzone allll --a-rec 1.2.3.4 Record name: allll A record: 1.2.3.4 # dig allll.newzone 3> Break connection between bind-dyndb-ldap and LDAP server somehow Ques: How to break this connection? One of options is to use 'socat' utility to create proxy between two
ports and kill & restart this 'proxy' when appropriate:
1. install master with DNS
2. run socat proxy:
$ socat tcp-listen:3899,fork,reuseaddr tcp-connect:127.0.0.1:389
3. change /etc/named.conf
change ldapi connection, to connection over ldap:// port 3899
arg "uri ldap://master.ipa.test:3899";
4. restart named-pkcs11
5. test with dig @localhost if named is working
6. kill socat
7. do some changes in DNS LDAP entries
8. start socat again
9. wait 60 sec until named reconnects
10. test with dig @localhost if named picked up changes from LDAP
I hope this helps.
Verified using ipa-server-4.2.0-12.el7.x86_64, bind-dyndb-ldap-8.0-1.el7.x86_64
Steps:
# ipa dnszone-add --name-server=mgmt9.testrelm.test. --admin-email=ipaqar.redhat.com --serial=2010010701 --refresh=303 --retry=101 --expire=1202 --minimum=33 --ttl=55 newzone
ipa: WARNING: Semantic of setting Authoritative nameserver was changed. It is used only for setting the SOA MNAME attribute.
NS record(s) can be edited in zone apex - '@'.
Zone name: newzone.
Active zone: TRUE
Authoritative nameserver: mgmt9.testrelm.test.
Administrator e-mail address: ipaqar.redhat.com
SOA serial: 2010010701
SOA refresh: 303
SOA retry: 101
SOA expire: 1202
SOA minimum: 33
Time to live: 55
BIND update policy: grant TESTRELM.TEST krb5-self * A; grant TESTRELM.TEST krb5-self * AAAA; grant TESTRELM.TEST krb5-self * SSHFP;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
# ipa dnsrecord-add newzone arecord --a-rec 1.2.3.4
Record name: arecord
A record: 1.2.3.4
# dig @localhost arecord.newzone
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> @localhost arecord.newzone
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10522
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;arecord.newzone. IN A
;; ANSWER SECTION:
arecord.newzone. 86400 IN A 1.2.3.4
;; AUTHORITY SECTION:
newzone. 55 IN NS mgmt9.testrelm.test.
;; ADDITIONAL SECTION:
mgmt9.testrelm.test. 1200 IN A 10.16.4.19
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Oct 12 11:05:51 EDT 2015
;; MSG SIZE rcvd: 109
# yum install socat
# socat tcp-listen:3899,fork,reuseaddr tcp-connect:127.0.0.1:389
Updated /etc/named.conf"
arg "uri ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket";
to
arg "uri ldap://mgmt9.testrelm.test:3899";
# systemctl restart named-pkcs11.service
Verified named is working with dig @localhost arecord.newzone
killed socat (was a cmd running in terminal - ctrl+c'd it)
# ipa dnsrecord-del newzone arecord
No option to delete specific record provided.
Delete all? Yes/No (default No): yes
------------------------
Deleted record "arecord"
------------------------
# dig @localhost arecord.newzone
still sees this record
started socat again
waited 60 secs
# dig @localhost arecord.newzone
does not see this deleted record any more, and this verified that updates were refreshed after reconnecting.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-2301.html |