Bug 1843926

Adding  "update-policy { grant rndc-key zonesub ANY; };" 
to every zone helped to fix the issue

The very similar issue is manifesting during host creation when it fail to create DNS record for the host:

  Create IPv4 DNS record for host1.example.com task failed with the following error: ERF12-2357 [ProxyAPI::ProxyException]: Unable to set DNS entry ([RestClient::BadRequest]: 400 Bad Request) for Capsule https://sat.example.com:9090/dns


I tracked the issue down and it's the same problem with nsupdate (update failed: REFUSED)

/var/log/foreman-proxy/proxy.log:
---------------------------------------------------
2020-06-18T20:04:32 f9c81df5 [I] Started POST /dns/ 
2020-06-18T20:04:32 f9c81df5 [D] verifying remote client 192.168.100.1 against trusted_hosts ["sat.example.com"]
2020-06-18T20:04:32 f9c81df5 [D] Finished DNS query getresources for 'host1.example.com' in 1.83 ms
2020-06-18T20:04:32 f9c81df5 [D] running /usr/bin/nsupdate -k /etc/rndc.key 
2020-06-18T20:04:32 f9c81df5 [D] nsupdate: executed - server 127.0.0.1
2020-06-18T20:04:32 f9c81df5 [D] nsupdate: executed - update add host1.example.com. 86400 A 192.168.100.165
2020-06-18T20:04:32 f9c81df5 [D] nsupdate: errors
Answer:

;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:   6369

;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1

;; ZONE SECTION:

;example.com.	IN	SOA



;; TSIG PSEUDOSECTION:

rndc-key.		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1592525072 300 16 /RDSr6OnJvtUo9oRAovA8Q== 6369 NOERROR 0 



2020-06-18T20:04:32 f9c81df5 [E] Update errors: Answer:

;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:   6369

;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1

;; ZONE SECTION:

;example.com.	IN	SOA



;; TSIG PSEUDOSECTION:

rndc-key.		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1592525072 300 16 /RDSr6OnJvtUo9oRAovA8Q== 6369 NOERROR 0 



2020-06-18T20:04:32 f9c81df5 [W] Error details for Update errors: Answer:

;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:   6369

;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1

;; ZONE SECTION:

;example.com.	IN	SOA



;; TSIG PSEUDOSECTION:

rndc-key.		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1592525072 300 16 /RDSr6OnJvtUo9oRAovA8Q== 6369 NOERROR 0 


: <Proxy::Dns::Error>: Update errors: Answer:

;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:   6369

;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1

;; ZONE SECTION:

;example.com.	IN	SOA



;; TSIG PSEUDOSECTION:

rndc-key.		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1592525072 300 16 /RDSr6OnJvtUo9oRAovA8Q== 6369 NOERROR 0 



/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb:56:in `nsupdate_disconnect'
/usr/share/foreman-proxy/modules/dns_nsupdate/dns_nsupdate_main.rb:18:in `do_create'
/usr/share/foreman-proxy/modules/dns_common/dns_common.rb:37:in `create_a_record'
/usr/share/foreman-proxy/modules/dns/dns_api.rb:25:in `block in <class:Api>'
---------------------------------------------------

Running nsupdate manually ends up with the same error:

# /usr/bin/nsupdate -k /etc/rndc.key
> server 127.0.0.1
> update add host1.example.com. 86400 A 192.168.100.165
> send
update failed: REFUSED
> quit


I dont think we need separete BZ for this another occurence of the nsupdate problem.

Created redmine issue https://projects.theforeman.org/issues/30240 from this bug

Upstream bug assigned to ekohlvan

Upstream bug assigned to ekohlvan

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30240 has been resolved.

VERIFIED.

@Satellite 6.8.0 Snap8
foreman-installer-2.1.0-1.el7sat.noarch


# satellite-change-hostname new-satellite.example.com -y -u admin -p changeme sudo: false

Checking hostname validity

Checking overall health of server

Checking credentials

Assembling data for DNS update
updating DNS records with nsupdate:
local 127.0.0.1
zone example.com
update add example.com 10800 SOA new-satellite.example.com. root.example.com 2 86400 3600 604800 3600
update add example.com. 3600 IN NS new-satellite.example.com.
update delete example.com. IN NS satellite.example.com
update delete satellite.example.com A
update add new-satellite.example.com 10800 A 192.168.100.1
send

zone 100.168.192.in-addr.arpa
update add 100.168.192.in-addr.arpa 10800 SOA new-satellite.example.com. root.100.168.192.in-addr.arpa 2 86400 3600 604800 3600
update add 100.168.192.in-addr.arpa. 3600 IN NS new-satellite.example.com.
update delete 100.168.192.in-addr.arpa. IN NS satellite.example.com
send
updating dynamic zone files...
DNS records updated
updating hostname in /etc/hostname
setting hostname
checking if hostname was changed

Updating default Capsule
Updating installation media paths
stopping services
removing old cert rpms
No Match for argument: satellite.example.com-tomcat*
deleting old certs
backed up /var/www/html/pub to /var/www/html/pub/satellite.example.com-20200709121013.backup
updating hostname in /etc/hosts
updating hostname in foreman installer scenarios
updating hostname in hammer configuration
backing up last_scenario.yaml
removing last_scenario.yaml
re-running the installer
foreman-installer --scenario satellite -v --disable-system-checks --certs-regenerate=true --foreman-proxy-register-in-foreman true
cleaning up temporary files
...

>>> satellite-change-hostname finished successfully

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366