Bug 1354441
Summary: | DNS forwarder check is too strict: unable to add sub-domain to already-broken domain | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> |
Component: | ipa | Assignee: | Petr Spacek <pspacek> |
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
Severity: | unspecified | Docs Contact: | Aneta Šteflová Petrová <apetrova> |
Priority: | medium | ||
Version: | 7.3 | CC: | jpazdziora, nsoman, pspacek, pvoborni, rcritten, sumenon |
Target Milestone: | rc | Keywords: | Regression, Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.4.0-8.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 05:57:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sudhir Menon
2016-07-11 10:28:35 UTC
Message dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type is not related to this problem at all. In fact, IPA refuses to add the forwarder because initial validation of the domain failed, which was not mentioned in the original bug. Investigation on the original machine showed this: # dig @<--forwarder=IP-address> chd.pne.qe. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32907 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;chd.pne.qe. IN A This SERVFAIL (returned by forwarder configured for the *parent* domain) caused that IPA did not add the forwarder for the child domain. The check in IPA can be relaxed to allow this weird case to pass. Upstream ticket: https://fedorahosted.org/freeipa/ticket/6062 Interestingly, I'm unable to reproduce this on clean install. If you happen to find a reliable reproducer please reopen the bug. Thank you! Petr, Shouldn't we display the forward-zones in 'ipa dnsforwardzone-find' command Is it because the forwardzone/conditional-forwarder is not handled by ipa-server the zones are not displayed under 'ipa dnsforwardzone-find' command output. [root@master ~]# ipa dnsforwardzone-find ---------------------------- Number of entries returned 0 ---------------------------- Okay, I was able to reproduce this problem using two independent IPA DNS servers: Assume that example.com. is existing DNS domain hosted on server "srv1": srv1$ ipa dnsforwardzone-add f.example.com. --forwarder=192.0.2.1 srv1$ ipa dnsrecord-add example.com. f --ns-rec=$(hostname). Forwarding to IP address 192.0.2.1 will always fail so any query for the sub-domain f.example.com. will always return an error (SERVFAIL or a timeout). Now we can try to add the same sub-domain as forward zone to second machine, "srv2". For this to work, the srv2 machine needs to see proper DNS delegation of example.com. domain to machine srv1. As a quick hack we can point global forwarder on srv2 to srv1. srv2$ ipa dnsforwardzone-add f.example.com. --forwarder=192.0.2.123 This will error out: DNS check for domain f.dom-058-218.abc.idm.lab.eng.brq.redhat.com. failed: All nameservers failed to answer the query f.example.com. IN SOA: Server 127.0.0.1 UDP port 53 anwered SERVFAIL. Fixed upstream: https://fedorahosted.org/freeipa/changeset/b73ef3d7f9c757f1161db6801aadef52dd323195/ Fix is seen. Verified using ipa-server-4.4.0-7.el7.x86_64 selinux-policy-3.13.1-94.el7.noarch ipa-server-dns-4.4.0-7.el7.noarch Observations: 1. With conditional forwarder for child domain (chd.pne.qe) existing on parent domain (pne.qe), tried running the below command [root@ipaserver ~]# ipa dnsforwardzone-add chd.pne.qe --forwarder=<IP_Address_child_domain> --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS zone chd.pne.qe. already exists in DNS and is handled by server(s): win2.chd.pne.qe. 2. Removed conditional forwarder for child domain (pne.qe) existing on parent domain (pne.qe) and tried running the below command again. [root@ipaserver ~]# ipa dnsforwardzone-add chd.pne.qe --forwarder=<IP_Address_child_domain> --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS zone chd.pne.qe. already exists in DNS and is handled by server(s): win2.chd.pne.qe. Conclusion: 1. Error mentioned in the first comment of the bug is no more seen. 2. dig <child-domain> SOA, now returns the proper A and NS record entries for the server. Below error is no more seen, which is the fix. This may take some time, please wait ... ipa: ERROR: DNS check for domain chd.pne.qe. failed: All nameservers failed to answer the query chd.pne.qe. IN SOA: Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL. (In reply to Sudhir Menon from comment #16) > 2. Removed conditional forwarder for child domain (pne.qe) existing on parent > domain (pne.qe) and tried running the below command again. > > [root@ipaserver ~]# ipa dnsforwardzone-add chd.pne.qe > --forwarder=<IP_Address_child_domain> --forward-policy=only > > Server will check DNS forwarder(s). > This may take some time, please wait ... > ipa: ERROR: DNS zone chd.pne.qe. already exists in DNS and is handled by > server(s): win2.chd.pne.qe. This indicates that the conditional forwarder was not removed or that the domain was resolved using other means so IPA refused to add the forwarder. You need to: 1. Get SERVFAIL/timouts when attempting to resolve chd.pne.qe SOA. 2. Add forwarder for chd.pne.qe into IPA. -> this needs to pass without ERROR message. Petr, Forgot to mention that the dig chd.pne.qe SOA returns status: SERVFAIL before the forwardzone is added in IPA server. [root@ipaserver ~]# ipa dnsforwardzone-del chd.pne.qe -------------------------------------- Deleted DNS forward zone "chd.pne.qe." -------------------------------------- [root@ipaserver ~]# dig chd.pne.qe SOA ; <<>> DiG 9.9.4-RedHat-9.9.4-36.el7 <<>> chd.pne.qe SOA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57622 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;chd.pne.qe. IN SOA ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Aug 19 15:34:37 IST 2016 ;; MSG SIZE rcvd: 39 Marking the bug as Verified. 1. Able to see SERVFAIL when attempting to resolve child domain i.e chd.pne.qe SOA when forwardzone is not added in the IPA server and not specified in any other DNS servers. See comment #21. 2. Adding forwarder for child domain into IPA works fine without any error, when the forwarder for the child domain doesn't exist on any other server. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |