Bug 1354441

Summary: DNS forwarder check is too strict: unable to add sub-domain to already-broken domain
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: Petr Spacek <pspacek>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: medium    
Version: 7.3CC: jpazdziora, nsoman, pspacek, pvoborni, rcritten, sumenon
Target Milestone: rcKeywords: Regression, Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-8.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:57:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sudhir Menon 2016-07-11 10:28:35 UTC 
Description of problem: named-pkcs11[16354]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type

Version-Release number of selected component (if applicable):
ipa-server-dns-4.4.0-1.el7.noarch
ipa-server-4.4.0-1.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Install IPA server
2. Add forwardzone for parent domain
ipa dnsforwardzone-add pne.qe --forwarder=IP-address --forward-policy=only

3. Add forwardzone for child domain
ipa dnsforwardzone-add chd.pne.qe --forwarder=IP-address --forward-policy=only

4. Check message displayed on the console.

Actual results:

[root@server samba]# ipa dnsforwardzone-add chd.pne.qe --forwarder=10.65.210.99 --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS check for domain chd.pne.qe. failed: All nameservers failed to answer the query chd.pne.qe. IN SOA: Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered
The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL.

[root@server samba]# systemctl status named-pkcs11.service -l
● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
   Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2016-07-11 12:38:30 IST; 2h 28min ago
 Main PID: 16354 (named-pkcs11)
   CGroup: /system.slice/named-pkcs11.service
           └─16354 /usr/sbin/named-pkcs11 -u named
 
Jul 11 12:42:36 server.testrelm.test named-pkcs11[16354]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type
Jul 11 12:42:36 server.testrelm.test named-pkcs11[16354]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type

Expected results:
This should be working exactly as in RHEL7.2 i.e the forwardzone policy should get added with the ip-address for the child/tree domains and be listed in ipa dnsforwardzone-find command for the parent domain which is not been done right now.

Additional info:
Comment 3 Petr Spacek 2016-07-11 11:40:34 UTC 
Message

dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type

is not related to this problem at all.

In fact, IPA refuses to add the forwarder because initial validation of the domain failed, which was not mentioned in the original bug. Investigation on the original machine showed this:

# dig @<--forwarder=IP-address> chd.pne.qe.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32907
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;chd.pne.qe.			IN	A


This SERVFAIL (returned by forwarder configured for the *parent* domain) caused that IPA did not add the forwarder for the child domain. The check in IPA can be relaxed to allow this weird case to pass.
Comment 4 Petr Vobornik 2016-07-12 15:53:51 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6062
Comment 6 Petr Spacek 2016-08-08 12:53:01 UTC 
Interestingly, I'm unable to reproduce this on clean install. If you happen to find a reliable reproducer please reopen the bug. Thank you!
Comment 10 Sudhir Menon 2016-08-09 18:35:11 UTC 
Petr,
Shouldn't we display the forward-zones in 'ipa dnsforwardzone-find' command
Is it because the forwardzone/conditional-forwarder is not handled by ipa-server the zones are not displayed under 'ipa dnsforwardzone-find' command output.

[root@master ~]# ipa dnsforwardzone-find
----------------------------
Number of entries returned 0
----------------------------
Comment 13 Petr Spacek 2016-08-12 14:33:22 UTC 
Okay, I was able to reproduce this problem using two independent IPA DNS servers:

Assume that example.com. is existing DNS domain hosted on server "srv1":
srv1$ ipa dnsforwardzone-add f.example.com. --forwarder=192.0.2.1
srv1$ ipa dnsrecord-add example.com. f --ns-rec=$(hostname).

Forwarding to IP address 192.0.2.1 will always fail so any query for the sub-domain f.example.com. will always return an error (SERVFAIL or a timeout).

Now we can try to add the same sub-domain as forward zone to second machine, "srv2". For this to work, the srv2 machine needs to see proper DNS delegation of example.com. domain to machine srv1. As a quick hack we can point global forwarder on srv2 to srv1.
srv2$ ipa dnsforwardzone-add f.example.com. --forwarder=192.0.2.123

This will error out:
DNS check for domain f.dom-058-218.abc.idm.lab.eng.brq.redhat.com. failed: All nameservers failed to answer the query f.example.com. IN SOA: Server 127.0.0.1 UDP port 53 anwered SERVFAIL.
Comment 14 Petr Spacek 2016-08-17 10:36:38 UTC 
Fixed upstream: https://fedorahosted.org/freeipa/changeset/b73ef3d7f9c757f1161db6801aadef52dd323195/
Comment 16 Sudhir Menon 2016-08-17 17:29:40 UTC 
Fix is seen. 

Verified using 
ipa-server-4.4.0-7.el7.x86_64
selinux-policy-3.13.1-94.el7.noarch
ipa-server-dns-4.4.0-7.el7.noarch

Observations:
1. With conditional forwarder for child domain (chd.pne.qe) existing on parent domain (pne.qe), tried running the below command

[root@ipaserver ~]# ipa dnsforwardzone-add chd.pne.qe --forwarder=<IP_Address_child_domain> --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS zone chd.pne.qe. already exists in DNS and is handled by server(s): win2.chd.pne.qe.

2. Removed conditional forwarder for child domain (pne.qe) existing on parent
domain (pne.qe) and tried running the below command again.

[root@ipaserver ~]# ipa dnsforwardzone-add chd.pne.qe --forwarder=<IP_Address_child_domain> --forward-policy=only

Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS zone chd.pne.qe. already exists in DNS and is handled by server(s): win2.chd.pne.qe.

Conclusion:
1. Error mentioned in the first comment of the bug is no more seen.
2. dig <child-domain> SOA, now returns the proper A and NS record entries for the server.
Comment 17 Sudhir Menon 2016-08-17 17:30:51 UTC 
Below error is no more seen, which is the fix.

This may take some time, please wait ...
ipa: ERROR: DNS check for domain chd.pne.qe. failed: All nameservers failed to answer the query chd.pne.qe. IN SOA: Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered
The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL.
Comment 18 Petr Spacek 2016-08-18 13:42:50 UTC 
(In reply to Sudhir Menon from comment #16)
> 2. Removed conditional forwarder for child domain (pne.qe) existing on parent
> domain (pne.qe) and tried running the below command again.
> 
> [root@ipaserver ~]# ipa dnsforwardzone-add chd.pne.qe
> --forwarder=<IP_Address_child_domain> --forward-policy=only
> 
> Server will check DNS forwarder(s).
> This may take some time, please wait ...
> ipa: ERROR: DNS zone chd.pne.qe. already exists in DNS and is handled by
> server(s): win2.chd.pne.qe.

This indicates that the conditional forwarder was not removed or that the domain was resolved using other means so IPA refused to add the forwarder.

You need to:
1. Get SERVFAIL/timouts when attempting to resolve chd.pne.qe SOA.
2. Add forwarder for chd.pne.qe into IPA.
-> this needs to pass without ERROR message.
Comment 21 Sudhir Menon 2016-08-19 10:05:12 UTC 
Petr,

Forgot to mention that the dig chd.pne.qe SOA returns status: SERVFAIL before the forwardzone is added in IPA server.

[root@ipaserver ~]# ipa dnsforwardzone-del chd.pne.qe
--------------------------------------
Deleted DNS forward zone "chd.pne.qe."
--------------------------------------

[root@ipaserver ~]# dig chd.pne.qe SOA
; <<>> DiG 9.9.4-RedHat-9.9.4-36.el7 <<>> chd.pne.qe SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57622
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;chd.pne.qe.			IN	SOA
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 19 15:34:37 IST 2016
;; MSG SIZE  rcvd: 39
Comment 22 Sudhir Menon 2016-08-19 10:16:13 UTC 
Marking the bug as Verified.

1. Able to see SERVFAIL when attempting to resolve child domain i.e chd.pne.qe SOA when forwardzone is not added in the IPA server and not specified in any other DNS servers. See comment #21.

2. Adding forwarder for child domain into IPA works fine without any error, when the forwarder for the child domain doesn't exist on any other server.
Comment 27 errata-xmlrpc 2016-11-04 05:57:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html