Bug 1184065

Summary: PTR record synchronization for A/AAAA record tuple can fail mysteriously
Product: Red Hat Enterprise Linux 7 Reporter: Petr Spacek <pspacek>
Component: bind-dyndb-ldapAssignee: Petr Spacek <pspacek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: dpal, pspacek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-dyndb-ldap-7.99-1.GIT158e95e.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:21:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Spacek 2015-01-20 14:21:42 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/155

= Problem =
== What does not work as expected? ==
Martin Basti discovered that PTR record synchronization does not work properly for updates with multiple A/AAAA records in one batch.

It can fail mysteriously if at least one A/AAAA record doesn't belong to a reverse zone managed by the plugin (or if at least one reverse zone is not properly configured for [[BIND9/SyncPTR|SyncPTR feature]]).

This bug does not affect cases where everything is properly configured.


== Steps to Reproduce ==
* Configure a test zone which will contain A/AAAA records
* Enable dynamic updates for given zone
* Enable [[BIND9/SyncPTR|SyncPTR feature]] for given zone
* **Do not** create reverse zones
* Send a dynamic update with multiple IP addresses in one batch. These addresses should not belong to any reverse zone configured for SyncPTR feature. E.g.
{{{
$ nsupdate -g
update add a4.example.com 666 IN AAAA ::1
update add a4.example.com 666 IN AAAA ::2
update add a4.example.com 666 IN AAAA ::3
send
}}}

* Result: Only one record will be added to LDAP and the rest will be ignored.

The problem equally applies to deleting multiple records at once using:
{{{
update del a4.example.com IN AAAA
}}}
In that case only one record will be deleted.
Comment 1 Petr Spacek 2015-05-15 17:13:50 UTC 
Fixed by following upstream commits:
caf4c85b2892b49e567e4464824d4bae5d73929e, 1a36c36b69d490e48c1f04cfe85c064202989a3b, a38479f9739f59fedb8c264c768b7d3044b3692c, f24c80ac80b6f8eae2324123e79c73e0a72492f5, 7dee381afc752f8611ad7d91cb309b721b0097bd, e3b090403b7c9529b84647e0a31e03574dcb08b6, 56ec3b86a63709d6218852c69fce1dbda72e834b, e35f51a752e06d500984faff934267d734e365aa, 41fabef959bd2ed08194c507271e41a26cdac8f4, c42005a3b219879043b59c70372eaddbd3e9e72a, 0aa9c851a71a68efa5342d6b492429d1d96a820b, 4a6f694a5898bdcb90ca758e4521e5afa9c1759b
Comment 4 Petr Spacek 2015-09-10 14:40:45 UTC 
This bug was documented as part of rebase bug 1204110.
Comment 5 Namita Soman 2015-10-13 19:09:21 UTC 
Verified using bind-dyndb-ldap-8.0-1.el7.x86_64 and ipa-server-4.2.0-12.el7.x86_64

Steps:
* Configure a test zone which will contain A/AAAA records
# ipa dnszone-add --name-server=mgmt9.testrelm.test. --admin-email=ipaqar.redhat.com --serial=2010010701 --refresh=303 --retry=101 --expire=1202 --minimum=33 --ttl=55 newzone
# ipa dnsrecord-add newzone arecord --a-rec 1.2.3.4
# ipa dnsrecord-add newzone aaaa --aaaa-rec='fec0:0:a10:6000:10:16ff:fe98:193'

* Enable dynamic updates for given zone
# ipa dnszone-mod newzone. --dynamic-update=TRUE
# ipa dnszone-mod newzone. --update-policy='grant * wildcard *;'

* Enable [[BIND9/SyncPTR|SyncPTR feature]] for given zone
# ipa dnszone-mod newzone. --allow-sync-ptr=TRUE

* **Do not** create reverse zones

# ipa dnszone-show newzone --all
  dn: idnsname=newzone.,cn=dns,dc=testrelm,dc=test
  Zone name: newzone.
  Active zone: TRUE
  Authoritative nameserver: mgmt9.testrelm.test.
  Administrator e-mail address: ipaqar.redhat.com
  SOA serial: 2010010707
  SOA refresh: 303
  SOA retry: 101
  SOA expire: 1202
  SOA minimum: 33
  Time to live: 666
  BIND update policy: grant * wildcard *;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
  Allow PTR sync: TRUE
  aaaarecord: ::4, ::3, ::2, ::1
  nsrecord: mgmt9.testrelm.test.
  objectclass: idnszone, top, idnsrecord


* Send a dynamic update with multiple IP addresses in one batch. These addresses should not belong to any reverse zone configured for SyncPTR feature.
# kinit -k -t /etc/krb5.keytab host/mgmt9.testrelm.test

# nsupdate -g 
> update add newzone 666 IN AAAA ::2
> update add newzone 666 IN AAAA ::3
> update add newzone 666 IN AAAA ::4
> send

# kinit admin

# ipa dnsrecord-find newzone
  Record name: @
  AAAA record: ::4, ::3, ::2, ::1
  NS record: mgmt9.testrelm.test.

  Record name: _kerberos
  TXT record: TESTRELM.TEST

  Record name: aaaa
  AAAA record: fec0:0:a10:6000:10:16ff:fe98:193

  Record name: arecord
  A record: 1.2.3.4
----------------------------
Number of entries returned 4
----------------------------

Verified all records were added
Comment 7 errata-xmlrpc 2015-11-19 10:21:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-2301.html