Hide Forgot
With 2.0, we no longer recommend the forwarding/recursive configuration for the BIND server. Actually it's not best for 1.2 either but oo-diagnostics complains mightily if it's corrected (working on that). Anyway, point is this section needs some revisions given recent events: 5.2.2.1. Configuring Internal Host Name Resolution This whole section should be removed. No more need for forwarders.conf. !!! Procedure 5.3. To Configure Sub-Domain Host Name Resolution: Step 2. -- the formatting on this got hosed up, and unfortunately it's really important for spacing to be right (as in, named won't start if it's wrong). You can't just cut and paste this now and have it work. The way it's supposed to end up is shown in the script (around https://github.com/openshift/openshift-extras/blob/enterprise-2.0/enterprise/install-scripts/generic/openshift.sh#L1845) but I'm kind of hoping you can just revert a change and get this back to something that can be cut and pasted successfully?? Same problem with Procedures 5.4 and 5.5 - I don't think spacing matters but the ">" shouldn't be in there at the beginning of the line if it's supposed to be cut+pasted! Can this be reverted? This was right in 1.2 docs: https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html-single/Deployment_Guide/index.html#sect-Configuring_BIND_and_DNS !!! Procedure 5.5. To Configure a New /etc/named.conf File: Step 1. Here is the change that I was opening this for in the first place. The recursion line should be changed to "no": recursion yes; => recursion no; The forwarders lines should be removed: // set forwarding to the next nearest server (from DHCP response forward only; include "forwarders.conf"; 5.2.3. Verifying the BIND Configuration With the changes above, our named will no longer answer questions about anything except example.com. The dig query about icann.org won't work. But a "host" command should query their second nameserver. So I'd suggest this change: --- Ensure requests for other host names are correctly forwarded by BIND: # dig @127.0.0.1 icann.org a (An example AUTHORITY section:) ;; AUTHORITY SECTION: icann.org. 85023 IN NS a.iana-servers.net. icann.org. 85023 IN NS c.iana-servers.net. icann.org. 85023 IN NS ns.icann.org. icann.org. 85023 IN NS b.iana-servers.net. icann.org. 85023 IN NS d.iana-servers.net. ==> remove and append at the end: Our BIND instance will not answer questions about domains it does not own, but if you have one or more secondary nameservers in /etc/resolv.conf, they will be queried for other domains. Since "dig" asks our nameserver by default, use the "host" command to test this, e.g.: # host icann.org icann.org has address 192.0.43.7 icann.org has IPv6 address 2001:500:88:200::7 icann.org mail is handled by 10 pechora1.icann.org. [...] ===
Turns out that the spacing for the .db file in the 1.2 manual *also* doesn't cut/paste correctly, because it includes tabs. I did some fiddling with BIND conf and discovered that it doesn't matter if you use tabs or spaces, and doesn't matter if everything lines up; what *does* matter is that the series of lines that start with space.... *must* start with space. And things that have spaces between them must have space :) Just doesn't matter if it's one space or many. But cut and paste to a terminal generally doesn't seem to work if it includes a tab. I think this should do: cat <<EOF > /var/named/dynamic/${domain}.db \$ORIGIN . \$TTL 1 ; 1 seconds (for testing only) ${domain} IN SOA ns1.${domain}. hostmaster.${domain}. ( 2011112904 ; serial 60 ; refresh (1 minute) 15 ; retry (15 seconds) 1800 ; expire (30 minutes) 10 ; minimum (10 seconds) ) NS ns1.${domain}. MX 10 mail.${domain}. \$ORIGIN ${domain}. ns1 A 127.0.0.1 EOF
*** Bug 1051662 has been marked as a duplicate of this bug. ***
The OSE 2 Deployment Guide has been updated to address this BZ.