Bug 1465187

Summary: bind-dyndb-ldap needs rebuild against bind 9.11.1
Product: [Fedora] Fedora Reporter: Stephen Gallagher <sgallagh>
Component: bind-dyndb-ldapAssignee: Tomas Krizek <tkrizek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 26CC: awilliam, kevin, pbrobinson, pemensik, robatino, thozza, tkrizek, vonsch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: bind-dyndb-ldap-11.1-4.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-28 03:52:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1349188    
Attachments:
Description Flags
Proposed bump and rebuild patch for bind-dyndb-ldap none

Description Stephen Gallagher 2017-06-27 00:00:05 UTC 
Created attachment 1292076 [details]
Proposed bump and rebuild patch for bind-dyndb-ldap

Description of problem:
BIND was updated to version 9.11.1 in Fedora 26, which included a soname bump of libdns from libdns.so.166 to libdns.so.168. As a result, upgrading bind will conflict with bind-dyndb-ldap and cause failures. Attempts to update with `dnf update --allowerasing --best` will cause bind-dyndb-ldap to be removed, potentially breaking a FreeIPA installation.

Version-Release number of selected component (if applicable):
bind-dyndb-ldap-11.1-2.fc26

How reproducible:
Every time

Steps to Reproduce:
1. Install FreeIPA with DNS support which includes bind-dyndb-ldap
2. Update bind to bind-9.11.1-1.P1.fc26

Actual results:
DNF fails (or, in the case of `--allowerasing --best`, removes bind-dyndb-ldap, breaking FreeIPA)

Expected results:
Packages are updated correctly and the system continues to function as expected.

Additional info:
Proposing as a Final Blocker by the final release criterion: "All functional requirements for all Featured Server Roles must be met, without any workarounds being necessary."

The functional requirements[1] for the domain controller role includes "The Domain Controller must be capable of serving DNS host records on port 53"

[1] https://fedoraproject.org/wiki/Domain_controller_role_requirements
Comment 1 Fedora Update System 2017-06-27 11:33:14 UTC 
bind-dyndb-ldap-11.1-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-32abf267d6
Comment 2 Fedora Update System 2017-06-27 20:26:59 UTC 
bind-dyndb-ldap-11.1-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-32abf267d6
Comment 3 Adam Williamson 2017-06-27 23:27:59 UTC 
In fact this is an even more straightforward blocker: deployment of the domain controller (FreeIPA server) role fails with the updates-testing repository disabled (which is how the final release would ship, of course):

https://openqa.fedoraproject.org/tests/113830

+1 blocker. I've asked the person who submitted the BIND update to be mindful of the updates policy rules about interdependent packages in future.
Comment 4 Kevin Fenzi 2017-06-27 23:30:04 UTC 
+1 blocker
Comment 5 Adam Williamson 2017-06-27 23:40:24 UTC 
That's +3, which seems enough as this one is a very clear and pretty undebatable blocker.
Comment 6 Fedora Update System 2017-06-28 03:52:23 UTC 
bind-dyndb-ldap-11.1-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.