1175384 – DNS zones are not migrated into forward zones if 4.0+ replica is added

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1175384 - DNS zones are not migrated into forward zones if 4.0+ replica is added

Summary: DNS zones are not migrated into forward zones if 4.0+ replica is added

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1114013
TreeView+	depends on / blocked

Reported:	2014-12-17 15:52 UTC by Martin Bašti
Modified:	2015-03-05 10:19 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-4.1.0-14.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:19:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Martin Bašti 2014-12-17 15:52:14 UTC

Trac: https://fedorahosted.org/freeipa/ticket/4818

Special IPA 3.x zones are migrated into forward zones, only once (if idnsforwardzone), during first replica upgrade.

If new replica with version 4.0+ is added, upgrade will not happen, due false positive detection if migration is required.


Steps to Reproduce:
1. master(ipa 3.x)# ipa-server-install --setup-dns
2. master# ipa dnszone-add testzone --forwarder=192.0.2.1
3. master# ipa-replica-prepare ipa-replica
4. replica (ipa 4.x)# ipa-replica-install

Actual results:
'testzone' is still master zone

Expected result:
'testzone' is forward zone (was migrated)

Comment 2 Martin Kosek 2015-01-09 13:28:53 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/bb405bd9721de205cbc3f640ad2c758acf8ed8d4
https://fedorahosted.org/freeipa/changeset/af6aece39b4804b9974098d5688a969d053548bc
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/11740bcd187ad698877d2e836d80ef87f24965a1
https://fedorahosted.org/freeipa/changeset/39a4f683fc441165c3154481f1a6b174ff3b8271
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/c2932f9714c1496a3b4998f6dc7490c8a0d6c0ab
https://fedorahosted.org/freeipa/changeset/7c70bac3afe663d11ce274759571db6d96f8eb14

Comment 4 Scott Poore 2015-01-20 01:17:19 UTC

Could this one be affected by bug 1176995?  Or more precisely by bug 1183655?

I tried following the steps to reproduce but, I'm hitting bug 1176995 where I can't see host/dns data on the master.  If I check on the replica though, I still see it as a regular zone and not a forward zone:

[root@rhel7-1 ~]# rpm -q ipa-server
ipa-server-3.3.3-28.el7.x86_64

[root@rhel7-2 ~]# rpm -q ipa-server
ipa-server-4.1.0-10.el7.x86_64

[root@rhel7-2 ~]#  ipa dnszone-show testzone
ipa: WARNING: DNS forwarder semantics changed since IPA 4.0.
You may want to use forward zones (dnsforwardzone-*) instead.
For more details read the docs.
  Zone name: testzone
  Active zone: TRUE
  Zone forwarders: 192.0.2.1
  Authoritative nameserver: rhel7-1.example.com
  Administrator e-mail address: hostmaster.testzone.
  SOA serial: 1421716043
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;

[root@rhel7-2 ~]# ipa dnsforwardzone-find
----------------------------
Number of entries returned 0
----------------------------

So, is this a failure or is this bug dependent on bug 1176995 or bug 1183655?

Comment 5 Martin Bašti 2015-01-20 09:07:29 UTC

Hi Scott, IMO it is you tested it with old IPA build.

Fixed In Version: ipa-4.1.0-14.el7

[root@rhel7-2 ~]# rpm -q ipa-server
ipa-server-4.1.0-10.el7.x86_64

HTH

Comment 6 Scott Poore 2015-01-20 13:10:16 UTC

I misread the version there.  Let me recheck this one.

Thanks

Comment 7 Scott Poore 2015-01-20 13:48:59 UTC

Verified.

Version ::

ipa-server-4.1.0-15.el7.x86_64

Results ::

on MASTER before replica install:

[root@rhel7-1 ~]# ipa dnszone-add testzone --forwarder=192.0.2.1
Authoritative nameserver: rhel7-1.example.com 
Administrator e-mail address [hostmaster.testzone.]: 
Nameserver IP address: 192.168.122.71
  Zone name: testzone
  Authoritative nameserver: rhel7-1.example.com
  Administrator e-mail address: hostmaster.testzone.
  SOA serial: 1421760369
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant
                      EXAMPLE.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 192.0.2.1
[root@rhel7-1 ~]# ipa dnszone-find
  Zone name: 122.168.192.in-addr.arpa.
  Authoritative nameserver: rhel7-1.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1421760274
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: example.com
  Authoritative nameserver: rhel7-1.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1421760280
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: testzone
  Authoritative nameserver: rhel7-1.example.com
  Administrator e-mail address: hostmaster.testzone.
  SOA serial: 1421760369
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 192.0.2.1
----------------------------
Number of entries returned 3
----------------------------


on REPLICA:

[root@rhel7-2 ~]# ipa dnszone-show testzone
ipa: ERROR: testzone.: DNS zone not found
[root@rhel7-2 ~]# ipa dnsforwardzone-show testzone
  Zone name: testzone.
  Active zone: TRUE
  Zone forwarders: 192.0.2.1
  Forward policy: first
[root@rhel7-2 ~]# ipa dnszone-find
  Zone name: example.com
  Active zone: TRUE
  Authoritative nameserver: rhel7-1.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1421761252
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;

  Zone name: 122.168.192.in-addr.arpa.
  Active zone: TRUE
  Authoritative nameserver: rhel7-1.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1421761241
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

So, I am now seeing it as a new forward zone.

Comment 9 errata-xmlrpc 2015-03-05 10:19:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.