Bug 785884

Summary: Honour TTL when resolving host names
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: grajaiya, jgalipea, jhrozek, ksiddiqu, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.8.0-2.el6.beta2 Doc Type: Bug Fix
Doc Text:
No documentation needed
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 11:54:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Stephen Gallagher 2012-01-30 20:25:55 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/811

We agreed on fixing #809 for 1.5.x by resolving host names again after a hardcoded interval when we retry connection to a previously failed service

But a proper fix is to honour TTL values we get from DNS. This needs a couple of more intrusive changes:
 * do not use `ares_gethostbyname()` which only returns `struct hostent` but rather query directly for A or AAAA records using `ares_query()`
 * change our internal resolver to pass some custom structure that includes the TTL value, not just `struct hostent`
 * expire the host name lookups when the TTL value passes

Comment 1 Jenny Severance 2012-01-30 20:38:07 UTC
Please add step to verify/reproduce this issue. thanks

Comment 2 Jakub Hrozek 2012-01-31 07:51:34 UTC
In general, add an A or AAAA record to DNS with a low TTL value. Log in as a user - that would trigger a name resolution. Change the A record on the DNS server to point to a different IP address. If you try to log in before TTL has passed, SSSD should still connect the same server address even though the record has changed on the server. Wait until the TTL is over, then log in again. SSSD should detect that TTL has already passed and resolve the new address.

In particular, the --ttl option of "ipa dnsrecord-add" might be helpful.

Comment 4 Jakub Hrozek 2012-04-03 18:14:20 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed

Comment 8 errata-xmlrpc 2012-06-20 11:54:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html