1060349 – IPA: Unable to add host when ipv6 address already exits

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1060349 - IPA: Unable to add host when ipv6 address already exits

Summary: IPA: Unable to add host when ipv6 address already exits

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1168850
TreeView+	depends on / blocked

Reported:	2014-01-31 21:44 UTC by Jenny Severance
Modified:	2015-03-05 10:10 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.0.3-1.el7
Doc Type:	Known Issue
Doc Text:	The "ipa host-add" command does not verify the existence of AAAA records. As a consequence, "ipa host-add" fails if no A record is available for the host even if an AAAA record exists. To work around this problem, run "ipa host-add" with the "--force" option.
Clone Of:
Environment:
Last Closed:	2015-03-05 10:10:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Jenny Severance 2014-01-31 21:44:53 UTC

Description of problem:
If you add ipv6 address for a host and then try to add the host, it fails with an error message that the ipv4 address does not exist.
ipa: ERROR: Host does not have corresponding DNS A record


Automated Testing Results

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-089: Delete host without deleting DNS Record
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:40:40 ] ::  IPv6 address is 2620:52:0:1060:10:16ff:fe98:245
:: [ 15:40:40 ] ::  Reverse zone: 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
------------------------------------------
Deleted host "mytestipv6host.testrelm.com"
------------------------------------------
:: [ 15:40:42 ] ::  Host mytestIPv6host.testrelm.com deleted successfully.
:: [   PASS   ] :: Deleting host without deleting DNS entries (Expected 0, got 0)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.GBFCZoR4wL/forward_dns_3.out' should contain 'AAAA record: 2620:52:0:1060:ffff:16ff:fe98:245' 
:: [ 15:40:44 ] ::  Final digit.
  Record name: 5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f
  PTR record: mytestipv6host.testrelm.com.
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-090: Add host without force option - DNS Record Exists
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:40:46 ] ::  IPv6 address is 2620:52:0:1060:10:16ff:fe98:245
:: [ 15:40:46 ] ::  Reverse zone: 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
:: [ 15:40:46 ] ::  EXECUTING: ipa host-add --ip-address=2620:52:0:1060:ffff:16ff:fe98:245 mytestIPv6host.testrelm.com
ipa: ERROR: Host does not have corresponding DNS A record
:: [   FAIL   ] :: Add host DNS entries exist (Expected 0, got 1)
---------------
0 hosts matched
---------------
----------------------------
Number of entries returned 0
----------------------------
:: [ 15:40:49 ] ::  WARNING: Failed to find host.
:: [   FAIL   ] :: Verifying host was added when DNS records exist. (Expected 0, got 1)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.GBFCZoR4wL/forward_dns_4.out' should contain 'AAAA record: 2620:52:0:1060:ffff:16ff:fe98:245' 
:: [ 15:40:51 ] ::  Final digit.
  Record name: 5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f
  PTR record: mytestipv6host.testrelm.com.
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)
ipa: ERROR: mytestipv6host.testrelm.com: host not found
:: [ 15:40:54 ] ::  WARNING: Deleting host mytestIPv6host.testrelm.com failed.
:: [   FAIL   ] :: Deleting host without deleting DNS entries (Expected 0, got 2)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.GBFCZoR4wL/forward_dns_41.out' should contain 'AAAA record: 2620:52:0:1060:ffff:16ff:fe98:245' 
:: [   PASS   ] :: Checking nslookup output (Expected 0, got 0)
:: [ 15:41:06 ] ::  nslookup_msg=name = mytestipv6host.testrelm.com
Server:		10.16.98.245
Address:	10.16.98.245#53

5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f.0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa	name = mytestipv6host.testrelm.com.

:: [   PASS   ] :: Running 'cat  /tmp/tmp.GBFCZoR4wL/nslookup_2_output.out' (Expected 0, got 0)
5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f.0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa	name = mytestipv6host.testrelm.com.
:: [   PASS   ] :: nslookup shows IPAddress exist 


Version-Release number of selected component (if applicable):
ipa-server-3.3.3-13.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. add ipv6 reverse zone
# ipa dnszone-add 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. --admin-email=admin --name-server `hostname`.
  Zone name: 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
  Authoritative nameserver: ipaqa64vmj.testrelm.com.
  Administrator e-mail address: admin.example.com.
  SOA serial: 1391202431
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-subdomain 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. PTR;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

2. make sure the record exists

# ipa dnsrecord-find --name=mytestipv6host
Zone name: testrelm.com    
  Record name: mytestipv6host
  AAAA record: 2620:52:0:1060:ffff:16ff:fe98:245
----------------------------
Number of entries returned 1

# ipa dnsrecord-find
Zone name: 0.6.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
  Record name: 5.4.2.0.8.9.e.f.f.f.6.1.f.f.f.f
  PTR record: mytestipv6host.testrelm.com.

  Record name: @
  NS record: ipaqa64vmj.testrelm.com.
----------------------------
Number of entries returned 2
----------------------------

Make sure the host does not exist

# ipa host-find mytestipv6host.testrelm.com
---------------
0 hosts matched
---------------
----------------------------
Number of entries returned 0

3. Try to add the host

]# ipa host-add mytestipv6host.testrelm.com
ipa: ERROR: Host does not have corresponding DNS A record

]# ipa host-add --ip-address=2620:52:0:1060:ffff:16ff:fe98:245 mytestIPv6host.testrelm.com
ipa: ERROR: IP address 2620:52:0:1060:ffff:16ff:fe98:245 is already assigned in domain testrelm.com.

Only one host exists ..

# ipa host-find
--------------
1 host matched
--------------
  Host name: ipaqa64vmj.testrelm.com
  Principal name: host/ipaqa64vmj.testrelm.com
  Password: False
  Keytab: True
  Managed by: ipaqa64vmj.testrelm.com
  SSH public key fingerprint: 5F:66:46:2F:6A:86:D1:D4:94:9F:54:66:9D:3B:24:CF (ecdsa-sha2-nistp256), 22:8B:BF:E8:56:62:E3:E3:93:B7:36:3F:67:3D:0B:C9 (ssh-rsa)
----------------------------
Number of entries returned 1


Actual results:
Can not add host

Expected results:
Host add command recognizes that the dns record exist - should behave the same as when adding with ipv4 address already exist

Additional info:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-47 Delete host without deleting DNS Record
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Host myhost.testrelm.com deleted successfully.
:: [   PASS   ] :: Deleting host without deleting DNS entries (Expected 0, got 0)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-host-cli-47 Delete host without deleting DNS Record

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-48 Add host without force option - DNS Record Exists
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: EXECUTING: ipa host-add myhost.testrelm.com
:: [   PASS   ] :: Add host DNS entries exist (Expected 0, got 0)
:: [   LOG    ] :: Host name is as expected.
:: [   LOG    ] :: Principal name is as expected.
:: [   PASS   ] :: Verifying host was added when DNS records exist. (Expected 0, got 0)
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-host-cli-48 Add host without force option - DNS Record Exists

Comment 1 Rob Crittenden 2014-01-31 22:22:59 UTC

Well, I guess from one perspective the error is very clear: there is no A record, just an AAAA record. So I guess the question is, should we extend this test to look for both A and AAAA recoreds? Is that what you're proposing?

Comment 2 Dmitri Pal 2014-02-01 19:22:34 UTC

(In reply to Rob Crittenden from comment #1)
> Well, I guess from one perspective the error is very clear: there is no A
> record, just an AAAA record. So I guess the question is, should we extend
> this test to look for both A and AAAA records? Is that what you're
> proposing?

If I read it right the command fails if the AAAA for the same host is created manually in advance. IMO the logic would be 
a) To check both A and AAAA records when the host is added without specific address. In this case the first attempt to add the host would see that there is already an entry and if the entry with the same name it should proceed. If the entry is with a different name it should fail as now.

Comment 3 Martin Kosek 2014-02-06 09:26:01 UTC

I think we just want to change the check in host-add command to check both A and AAAA records, as Rob said (by doing DNS resolve query, not searching for records in IPA DNS).

Currently, host-add does not respect IPv6-only networks and fails with the described error as it only checks IPv4 address. When host has already IPv6 address defined, admin would always need to add hosts with --force flag to workaround it.

I will file an upstream ticket.

Comment 4 Martin Kosek 2014-02-06 09:26:21 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4164

Comment 6 Petr Viktorin (pviktori) 2014-08-11 14:05:13 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ca001814abe533f19498d4207b5233eff17549a5
https://fedorahosted.org/freeipa/changeset/4b5a4882497ce7c3ecdf8f898fc695b2309df1b5
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/ca001814abe533f19498d4207b5233eff17549a5
https://fedorahosted.org/freeipa/changeset/4b5a4882497ce7c3ecdf8f898fc695b2309df1b5
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/85b2c786bf53eb2882ab0db2b2cc23ec273b4020
https://fedorahosted.org/freeipa/changeset/2fa1555722ed875a32d3480ea08c5ad420a015a6

Comment 8 Namita Soman 2015-01-26 05:37:38 UTC

Verified automated test passed using ipa-server-4.1.0-15.el7.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-089: Delete host without deleting DNS Record
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 00:31:47 ] :: IPv6 address is 2620:52:0:1007:221:5eff:fe86:834
:: [ 00:31:47 ] :: Reverse zone: 7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
:: [  BEGIN   ] :: Deleting host without deleting DNS entries :: actually running 'deleteHost mytestIPv6host.testrelm.test'
-------------------------------------------
Deleted host "mytestipv6host.testrelm.test"
-------------------------------------------
:: [ 00:31:49 ] :: Host mytestIPv6host.testrelm.test deleted successfully.
:: [   PASS   ] :: Deleting host without deleting DNS entries (Expected 0, got 0)
:: [  BEGIN   ] :: Checking for forward DNS entry :: actually running 'ipa dnsrecord-find testrelm.test mytestIPv6host > /tmp/tmp.lX7g8QbUBW/forward_dns_3.out'
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.lX7g8QbUBW/forward_dns_3.out' should contain 'AAAA record: 2620:52:0:1007:ffff:5eff:fe86:834' 
:: [ 00:31:50 ] :: Final digit.
:: [  BEGIN   ] :: Checking for reverse DNS entry :: actually running 'ipa dnsrecord-find 7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. 4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f'
  Record name: 4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f
  PTR record: mytestipv6host.testrelm.test.
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-090: Add host without force option - DNS Record Exists bz1060349
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 00:31:52 ] :: IPv6 address is 2620:52:0:1007:221:5eff:fe86:834
:: [ 00:31:53 ] :: Reverse zone: 7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa.
:: [ 00:31:53 ] :: EXECUTING: ipa host-add --ip-address=2620:52:0:1007:ffff:5eff:fe86:834 mytestIPv6host.testrelm.test
:: [  BEGIN   ] :: Add host DNS entries exist :: actually running 'ipa host-add mytestIPv6host.testrelm.test'
-----------------------------------------
Added host "mytestipv6host.testrelm.test"
-----------------------------------------
  Host name: mytestipv6host.testrelm.test
  Principal name: host/mytestipv6host.testrelm.test
  Password: False
  Keytab: False
  Managed by: mytestipv6host.testrelm.test
:: [   PASS   ] :: Add host DNS entries exist (Expected 0, got 0)
:: [  BEGIN   ] :: Verifying host was added when DNS records exist. :: actually running 'findHost mytestIPv6host.testrelm.test'
--------------
1 host matched
--------------
  Host name: mytestipv6host.testrelm.test
  Principal name: host/mytestipv6host.testrelm.test
  Password: False
  Keytab: False
  Managed by: mytestipv6host.testrelm.test
----------------------------
Number of entries returned 1
----------------------------
-------------- 1 host matched -------------- Host name: mytestipv6host.testrelm.test Principal name: host/mytestipv6host.testrelm.test Password: False Keytab: False Managed by: mytestipv6host.testrelm.test ---------------------------- Number of entries returned 1 ----------------------------
:: [ 00:31:57 ] :: Host name is as expected.
-------------- 1 host matched -------------- Host name: mytestipv6host.testrelm.test Principal name: host/mytestipv6host.testrelm.test Password: False Keytab: False Managed by: mytestipv6host.testrelm.test ---------------------------- Number of entries returned 1 ----------------------------
:: [ 00:31:57 ] :: Principal name is as expected.
:: [   PASS   ] :: Verifying host was added when DNS records exist. (Expected 0, got 0)
:: [  BEGIN   ] :: Checking for forward DNS entry :: actually running 'ipa dnsrecord-find testrelm.test mytestIPv6host > /tmp/tmp.lX7g8QbUBW/forward_dns_4.out'
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.lX7g8QbUBW/forward_dns_4.out' should contain 'AAAA record: 2620:52:0:1007:ffff:5eff:fe86:834' 
:: [ 00:31:59 ] :: Final digit.
:: [  BEGIN   ] :: Checking for reverse DNS entry :: actually running 'ipa dnsrecord-find 7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa. 4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f'
  Record name: 4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f
  PTR record: mytestipv6host.testrelm.test.
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Checking for reverse DNS entry (Expected 0, got 0)
:: [  BEGIN   ] :: Deleting host without deleting DNS entries :: actually running 'deleteHost mytestIPv6host.testrelm.test'
-------------------------------------------
Deleted host "mytestipv6host.testrelm.test"
-------------------------------------------
:: [ 00:32:01 ] :: Host mytestIPv6host.testrelm.test deleted successfully.
:: [   PASS   ] :: Deleting host without deleting DNS entries (Expected 0, got 0)
:: [  BEGIN   ] :: Checking for forward DNS entry :: actually running 'ipa dnsrecord-find testrelm.test mytestIPv6host > /tmp/tmp.lX7g8QbUBW/forward_dns_41.out'
:: [   PASS   ] :: Checking for forward DNS entry (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.lX7g8QbUBW/forward_dns_41.out' should contain 'AAAA record: 2620:52:0:1007:ffff:5eff:fe86:834' 
:: [  BEGIN   ] :: Checking nslookup output :: actually running 'nslookup 2620:52:0:1007:ffff:5eff:fe86:834  > /tmp/tmp.lX7g8QbUBW/nslookup_2_output.out'
:: [   PASS   ] :: Checking nslookup output (Expected 0, got 0)
:: [ 00:32:13 ] :: nslookup_msg=name = mytestipv6host.testrelm.test
:: [  BEGIN   ] :: Running 'cat  /tmp/tmp.lX7g8QbUBW/nslookup_2_output.out'
Server:		127.0.0.1
Address:	127.0.0.1#53

4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f.7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa	name = mytestipv6host.testrelm.test.

:: [   PASS   ] :: Command 'cat  /tmp/tmp.lX7g8QbUBW/nslookup_2_output.out' (Expected 0, got 0)
4.3.8.0.6.8.e.f.f.f.e.5.f.f.f.f.7.0.0.1.0.0.0.0.2.5.0.0.0.2.6.2.ip6.arpa	name = mytestipv6host.testrelm.test.
:: [   PASS   ] :: nslookup shows IPAddress exist

Comment 10 errata-xmlrpc 2015-03-05 10:10:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.