Bug 847716

Summary: [RFE] The TTL value for FreeIPA dynamic DNS updates should be configurable
Product: Red Hat Enterprise Linux 7 Reporter: James Hogarth <james.hogarth>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: dpal, grajaiya, jgalipea, jhrozek, ksiddiqu
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.10.0-1.el7.alpha1 Doc Type: Enhancement
Doc Text:
Feature: The SSSD has a new option ipa_dyndns_ttl Reason: Previously, the TTL (Time-To-Live) attribute of a DNS record during a DNS dynamic update was hardcoded to 86400 seconds. However, some environments need to set a different value. Result (if any): The DNS records are now added with the TTL value the ipa_dyndns_ttl option sets. The option defaults to 1200 seconds.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:32:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
This is a proposed patch for RHEL6 to bring the TTL of SSSD inline with the TTL set by ipa-client-install. none

Description James Hogarth 2012-08-13 10:49:07 UTC 
Created attachment 603961 [details]
This is a proposed patch for RHEL6 to bring the TTL of SSSD inline with the TTL set by ipa-client-install.

Description of problem:
The TTL on the record added by SSSD is much longer than that put in place by ipa-client-install (86400 seconds instead of 1200).

Version-Release number of selected component (if applicable):
sssd-1.8.0-32.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1) Add a client to IPA including the --enable-dns-updates argument. 
2) Verify that the TTL is 1200 seconds on the record after it has been added as per the value in the ipa-client-install python script. 
3) Arrange for the IP address to change in some way on the client. 
4) Restart the client 
  
Actual results:
TTL of record will be 86400 seconds

Expected results:
TTL of record should be 1200 seconds

Additional info:
Although for most use cases 1 day would be fine for a rapid VM churn environment (eg fresh build host created each time in continuous integration or something similar) this could cause incorrect resolution... and is a confusion for the user given the change from the initial TTL put in place... in addition a systems administrator could not override this since the record is deleted and added by SSSD and as a consequence ipa dnsrecord-mod would only have an effect until update and not maintain the TTL afterwards...
Comment 2 Stephen Gallagher 2012-08-13 11:24:01 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1476
Comment 5 Stephen Gallagher 2012-08-13 12:34:18 UTC 
Devel and Quality Engineering have reviewed this request and determined that it will be best solved by a more complete solution in a later release. We would rather see the value be configurable, rather than adjusting it to a different hard-coded value.
Comment 9 Jenny Severance 2013-03-26 16:03:16 UTC 
Please provide implementation details and use cases for this new configuration option.
Comment 10 Jakub Hrozek 2013-03-26 18:19:45 UTC 
(In reply to comment #9)
> Please provide implementation details and use cases for this new
> configuration option.

Set the ipa_dyndns_ttl option to a value in seconds. Update the client's addres using the dyndns functionality. Then view the DNS record on the server, in particular its TTL value. It should match the one provided with the config option.
Comment 11 Jakub Hrozek 2013-03-26 18:30:23 UTC 
Not sure what implementation details you are looking for, but there is nothing user visible apart from the single option.

Internally, what the option does is that its value is used as the TTL instead of the previously hardcoded value of 86400 seconds.
Comment 12 James Hogarth 2013-03-26 18:39:57 UTC 
As the guy that originally reported this and wrote the patch ;-) 

Use case:
Hostname that changes IP more frequently than once per day... This could be a test VM being rebuilt (which is where I encountered this) or a laptop user moving between subnets.

How to use:
Set the option as mentioned above and as detailed in --help and the man page.

There was a corresponding patch to ipa-client-install on the freeipa-client side to configure this option on install but I don't think it was ever committed... It might be worth checking to avoid the edge case of the initial DNS update by ipa-client-install setting the TTL high (if memory serves though it was only something like 1200 seconds).

However that has no impact on the functionality of this in sssd 1.10
Comment 13 Jakub Hrozek 2013-03-26 18:57:39 UTC 
Thanks for the details, James, that's going to help our QE test the feature!
Comment 14 James Hogarth 2013-03-26 19:24:01 UTC 
No problem... Apologies in not having more detail but I'm in a restaurant right now..

As one note though it's best to test the feature either looking straight at the IPA server with a utility like dig or to watch the 'fail' event the old host record still needs to be in a DNS cache somewhere on or between the system being used for the DNS query and the IPA server...

If there's any additional information useful I'll be able to respond tomorrow or Thursday.
Comment 15 Jenny Severance 2013-03-26 19:24:34 UTC 
Thank you James!
Comment 16 Jakub Hrozek 2013-10-04 13:24:18 UTC 
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 18 Kaleem 2014-01-27 13:29:38 UTC 
Verified.

IPA version:
============
------------[RPMs & OS: [RedHat - x86_64]---------
|       ipa-client-3.3.3-15.el7.x86_64
|       sssd-1.11.2-19.el7.x86_64
--------------------------------------------------

Snippet from automation log:
===========================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipaclientinstall_bug_847716 The TTL value for FreeIPA dynamic DNS updates should be configurable bz847716
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: uninstall_fornexttest starts
:: [   LOG    ] :: sssd.conf for testing BZ 819982 does not exists
:: [   LOG    ] :: checking for '^nameserver 10.16.46.51' in /etc/resolv.conf
:: [   PASS   ] :: Running 'ssh root.46.51 "echo Secret123|kinit admin;ipa host-del amd-pike-05.testrelm.com"' (Expected 0,1,2, got 0)
:: [   PASS   ] :: Running 'sleep 60' (Expected 0, got 0)
:: [   LOG    ] :: uninstall_fornexttest ends
:: [   LOG    ] :: EXECUTING: ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM -p admin -w Secret123 --unattended --server=hp-dl380pgen8-02-vm-2.testrelm.com --enable-dns-updates --mkhomedir
:: [   PASS   ] :: Installing ipa client and configuring - with all params (Expected 0, got 0)
:: [   LOG    ] :: execute expect file: /tmp/kinit.10792.exp
:: [   LOG    ] :: Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
:: [   PASS   ] :: Capturing TTL value (Expected 0, got 0)
:: [   PASS   ] :: Running 'cat /tmp/bz847716.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain 'Time to live: 1200' 
:: [   PASS   ] :: Assigning em1:0 with ip 192.168.0.1 (Expected 0, got 0)
:: [   PASS   ] :: Capturning ifconfig output (Expected 0, got 0)
:: [   PASS   ] :: Running 'cat /tmp/bz847716.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain 'em1:0' 
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain '192.168.0.1' 
:: [   PASS   ] :: Running 'sed '/cache_credentials/ a debug_level = 0x200' /etc/sssd/sssd.conf > /tmp/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Running 'cp /tmp/sssd.conf /etc/sssd/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Running 'sed '/ipa_dyndns_update/ a ipa_dyndns_iface = em1:0' /etc/sssd/sssd.conf > /tmp/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Running 'cp /tmp/sssd.conf /etc/sssd/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Running 'cat /etc/sssd/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Capturing TTL value after ip change (Expected 0, got 0)
:: [   PASS   ] :: Running 'cat /tmp/bz847716.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain 'Time to live: 1200' 
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain '192.168.0.1' 
:: [   PASS   ] :: Running 'rm -rf /tmp/bz847716.txt' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1m 17s
:: [   LOG    ] :: Assertions: 22 good, 0 bad
:: [   PASS   ] :: RESULT: ipaclientinstall_bug_847716 The TTL value for FreeIPA dynamic DNS updates should be configurable bz847716
Comment 19 Ludek Smid 2014-06-13 11:32:29 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.