Bug 2111181

Summary: CNAME records missing in DNS of locations-enabled domain
Product: Red Hat Enterprise Linux 9 Reporter: Julien Rische <jrische>
Component: ipaAssignee: Julien Rische <jrische>
Status: CLOSED NOTABUG QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: ftrivino, rcritten, tomek, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-31 09:52:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2104185, 2148382    

Description Julien Rische 2022-07-26 16:29:57 UTC 
When an IPA server is added to a certain location, CNAME records are supposed to replace the following SRV records:

  _ldap._tcp.example.com.
  _kerberos._tcp.example.com.
  _kerberos._udp.example.com.
  _kerberos-master._tcp.example.com.
  _kerberos-master._udp.example.com.
  _kpasswd._tcp.example.com.
  _kpasswd._udp.example.com.

However, in the majority of cases, these records are not replaced:

  $ dig @server-a.example.com _kerberos._udp.example.com. SRV +noall +answer
  _kerberos._udp.example.com. 86400 IN     SRV     0 100 88 server-a.example.com.
  _kerberos._udp.example.com. 86400 IN     SRV     0 100 88 server-b.example.com.

While it should be:

  $ dig @server-a.example.com _kerberos._udp.example.com. SRV +noall +answer
  _kerberos._udp.example.com. 86400 IN  CNAME   _kerberos._udp.a._locations.example.com.
  _kerberos._udp.a._locations.example.com. 86400 IN SRV 0 100 88 server-a.example.com.
  _kerberos._udp.a._locations.example.com. 86400 IN SRV 50 100 88 server-b.example.com.

The issue seems to be occurring during the synchronization from 389ds to bind9, because the CNAME template is there:

  $ ldapsearch -H ldaps://server-a.example.com -QY GSSAPI -LLL -o ldif-wrap=no -s one -b 'idnsname=example.com.,cn=dns,dc=example,dc=com' idnsTemplateAttribute
  dn: idnsname=_ldap._tcp,idnsname=example.com.,cn=dns,dc=example,dc=com
  idnsTemplateAttribute;cnamerecord: _ldap._tcp.\{substitutionvariable_ipalocation\}._locations

  dn: idnsname=_kerberos._tcp,idnsname=example.com.,cn=dns,dc=example,dc=com
  idnsTemplateAttribute;cnamerecord: _kerberos._tcp.\{substitutionvariable_ipalocation\}._locations

  dn: idnsname=_kerberos._udp,idnsname=example.com.,cn=dns,dc=example,dc=com
  idnsTemplateAttribute;cnamerecord: _kerberos._udp.\{substitutionvariable_ipalocation\}._locations

  dn: idnsname=_kerberos-master._tcp,idnsname=example.com.,cn=dns,dc=example,dc=com
  idnsTemplateAttribute;cnamerecord: _kerberos-master._tcp.\{substitutionvariable_ipalocation\}._locations

  dn: idnsname=_kerberos-master._udp,idnsname=example.com.,cn=dns,dc=example,dc=com
  idnsTemplateAttribute;cnamerecord: _kerberos-master._udp.\{substitutionvariable_ipalocation\}._locations

  dn: idnsname=_kpasswd._tcp,idnsname=example.com.,cn=dns,dc=example,dc=com
  idnsTemplateAttribute;cnamerecord: _kpasswd._tcp.\{substitutionvariable_ipalocation\}._locations

  dn: idnsname=_kpasswd._udp,idnsname=example.com.,cn=dns,dc=example,dc=com
  idnsTemplateAttribute;cnamerecord: _kpasswd._udp.\{substitutionvariable_ipalocation\}._locations
Comment 2 Julien Rische 2022-07-27 14:15:10 UTC 
On IPA servers, there are no traces of locations-related CNAME records in /var/named/data/update.log log file.

The zone dump in /var/named/dyndb-ldap/ipa/master/example.com/raw does not contain expected CNAME records either.
Comment 3 Julien Rische 2022-07-27 15:10:25 UTC 
CNAME records are created when configuration and zones are reloaded manually

  # rndc reload

However this command is not supposed to have impact on dynamic zones:

  # rndc reload example.com.
  rndc: 'reload' failed: dynamic zone
Comment 4 Julien Rische 2022-07-27 16:30:28 UTC 
It seems that when assigning a location to a server, the bind9 configuration has to be reloaded using "rndc reconfig" (reloading the configuration after server installation is not enough).
Comment 5 Julien Rische 2022-10-31 09:52:25 UTC 
This is actually not a bug. Restarting bind9 is required after assigning a location to a server, as explained in the documentation:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/working_with_dns_in_identity_management/managing-dns-locations-in-idm_working-with-dns-in-identity-management#assigning-an-idm-server-to-a-dns-location-using-the-idm-web-ui_managing-dns-locations-in-idm