Bug 893571
| Summary: | Invalid zone is not reloaded after a record change | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Spacek <pspacek> |
| Component: | bind-dyndb-ldap | Assignee: | Petr Spacek <pspacek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | arubin, dpal, jfenal, pspacek, xdong |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bind-dyndb-ldap-3.5-1.el7 | Doc Type: | Known Issue |
| Doc Text: |
IPA creates a new DNS zone in two separate steps. When the new zone is created, it is invalid for a short period of time. A/AAAA records for the name server belonging to the new zone are created after this delay. Sometimes, BIND attempts to load this invalid zone and fails. In such a case, reload BIND by running either rndc reload or service named restart.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 12:01:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Petr Spacek
2013-01-09 13:38:22 UTC
Upstream ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/102 This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Final patch is available on https://www.redhat.com/archives/freeipa-devel/2013-January/msg00070.html (In reply to comment #4) > Final patch is available on > https://www.redhat.com/archives/freeipa-devel/2013-January/msg00070.html Uh, wrong comment, this is patch for bug #895083 Previous fix was incomplete, it should be completely fixed in upstream by commit 1c6373b2f8952b76cb8b93ed8cba8d444d129049. For record, there is how test should look like: The goal it to ensure that a invalid zone is automatically reloaded if the problem is fixed by administrator. This is important because IPA dnszone-add creates invalid zones for short period of time, so 'invalid' zone can exist even after proper ipa dnszone-add command. Without this patch or reload the zone can be non-functional even after correct dnszone-add command. 1) Create invalid zone, e.g. zone without IP address for name in zone's NS record. 2) Add some TXT record to the zone. 3) Dig TXT record - it should return SERVFAIL, because zone is invalid. 4) Add some ip address to the name associated with NS record. 5) Dig TXT record again - it should return proper content. Output from my machine: # ipa dnszone-add example.com. --admin-email=hostmaster.example.com. --name-server=ns.example.com. --force Zone name: example.com. Authoritative nameserver: ns.example.com. # ipa dnsrecord-add example.com. test --txt-rec="hello" Record name: test TXT record: hello # dig @127.0.0.1 test.example.com. -t TXT ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50615 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;test.example.com. IN TXT # ipa dnsrecord-add example.com. ns --a-rec=127.0.0.1 Record name: ns A record: 127.0.0.1 # dig @127.0.0.1 test.example.com. -t TXT ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10395 ;; QUESTION SECTION: ;test.example.com. IN TXT ;; ANSWER SECTION: test.example.com. 86400 IN TXT "hello" ;; AUTHORITY SECTION: example.com. 86400 IN NS ns.example.com. ;; ADDITIONAL SECTION: ns.example.com. 86400 IN A 127.0.0.1 Verified on :
ipa-server-3.3.3-6.el7.x86_64
bind-dyndb-ldap-3.5-2.el7.x86_64
[root@70master ipa-ctl]# echo ""|ipa dnszone-add example.com. --admin-email=hostmaster.example.com. --name-server=ns.example.com. --force
Nameserver IP address: Zone name: example.com.
Authoritative nameserver: ns.example.com.
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1389799430
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self *
SSHFP;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@70master ipa-ctl]# ipa dnsrecord-add example.com. test --txt-rec="hello"
Record name: test
TXT record: hello
[root@70master ipa-ctl]# dig @127.0.0.1 test.example.com. -t TXT
; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> @127.0.0.1 test.example.com. -t TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18754
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.example.com. IN TXT
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 15 10:24:33 EST 2014
;; MSG SIZE rcvd: 45
[root@70master ipa-ctl]# ipa dnsrecord-add example.com. ns --a-rec=127.0.0.1
Record name: ns
A record: 127.0.0.1
[root@70master ipa-ctl]# dig @127.0.0.1 test.example.com. -t TXT
; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> @127.0.0.1 test.example.com. -t TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60922
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.example.com. IN TXT
;; ANSWER SECTION:
test.example.com. 86400 IN TXT "hello"
;; AUTHORITY SECTION:
example.com. 86400 IN NS ns.example.com.
;; ADDITIONAL SECTION:
ns.example.com. 86400 IN A 127.0.0.1
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 15 10:24:50 EST 2014
;; MSG SIZE rcvd: 96
The invalid zone is automatically reloaded
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |