RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1215735 - ipa-replica-prepare automatically adds a DNS zone
Summary: ipa-replica-prepare automatically adds a DNS zone
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-27 15:14 UTC by Aneta Šteflová Petrová
Modified: 2015-11-19 12:03 UTC (History)
6 users (show)

Fixed In Version: ipa-4.2.0-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 12:03:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Aneta Šteflová Petrová 2015-04-27 15:14:20 UTC
Description of problem:
In the IPA VM lab, I manually remove the abc.idm.lab.eng.brq.redhat.com. DNS zone before setting up a replica; I only leave a custom DNS zone (such as example.com.). However, running ipa-replica-prepare seems to automatically readd the removed zone.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Delete a DNS zone
2. Run ipa-replica-prepare

Actual results:
The DNS zone deleted in step 1 is present again.

Expected results:
ipa-replica-prepare should not automatically add DNS zones that had been previously removed by the user.

Additional info:
In a VM, the DNS zone should not be present in order to be able to set up a replica of the master server.

Comment 3 Petr Vobornik 2015-04-27 16:13:07 UTC
ipa-replica-prepare adds dns zone of the replica in order to add forward records. 

So if you prepare replica.baz.test but your zone is foo.test then zone baz.test will be added. 

Why(and which) DNS zone should not be present in order to setup replica?

Comment 4 Petr Spacek 2015-04-28 08:14:23 UTC
I agree with Aneta that current behavior is confusing, especially when you have multiple replicas scattered around the globe with names beloging to different sub-domains.

Imagine that a company is using IPA for domain example.com.
Replica in Brno is ipa.brno.example.com.
Replica in Boston is ipa.boston.example.com.

There is no reason to assume that domains brno.example.com. or boston.example.com. have to be hosted on the IPA itself.

IMHO the installer should detect if records for replica-to-be-installed are okay and:
a) do nothing if they are,
b) report and error and possibly offer to create a zone if the zones does not exist and IPA is managing DNS.

Currently the installer always creates the zone even if it already is hosted on a different DNS server which is simply wrong and creates hard-to-debug problems.

Comment 5 Petr Spacek 2015-04-28 08:16:51 UTC
For reference, this is replica-related part of https://fedorahosted.org/freeipa/ticket/3681

Comment 6 Petr Vobornik 2015-04-28 10:21:16 UTC
DNS records and zones are added only if option --ip-address is provided.

--ip-address option serves for adding DNS records. Its help says: "add A and PTR records of the future replica. This option can be used multiple times"

--ip-address option is required only if replica's fqdn is not resolvable, installer tells it by error message as follows:
  Add the --ip-address argument to create a DNS entry.
  "Unable to resolve host name, check /etc/hosts or DNS name resolution"
I'm not sure if this error message is confusing.

Therefore if admin provides --ip-address option, the intention is
a) to add the records to IPA's DNS server
b) the admin is confused or he doesn't know what he is doing. In this case we could improve the message or help.

I.e. to avoid adding the zone, admin should not provide --ip-address and fix his DNS setup if the fqdn is not resolvable.

Comment 8 Petr Spacek 2015-04-28 10:29:54 UTC
Interesting, I did not know about the --ip-address trick. Anyway, IPA should refuse to create DNS zone which already exists elsewhere to avoid exactly this type of confusion.

Comment 9 Petr Vobornik 2015-05-04 08:56:41 UTC
It works as designed. But after a conversation with Petr I agree that this behavior might not always be what the admin wants, e.g., when the added zone is already managed by a different DNS server. It may be still valid use case for testing or other environments.

Therefore ipa-replica-prepare should do as written in comment 4 - most importantly report that the required zone is managed by a different server and offer a solution. 

A possibility could be:
- add DNS record if IPA manages the zone and --ip-address option is provided
- add DNS zone only if admin specifies new --create-dns-zone (proposal for new name) option. This option should be regarded as a more specific --force option. Even if this is specified, ipa-replica-prepare should still warn if the added zone is managed by a different server. If zone in IPA already exists, it should fail - to prevent admins from blindly adding this option.
- fail if zone is missing, --create-dns-zone is no specified but --ip-address is.
- fail if zone is managed by a different DNS server and --ip-address option is specified and --create-dns-zone is not.

Comment 10 Petr Vobornik 2015-05-04 08:58:51 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5014

Comment 11 Tomas Babej 2015-07-07 22:42:11 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6a91893ff50fee6d7c71d9bc982d85a3ec8b7583

Comment 13 Scott Poore 2015-09-15 01:13:29 UTC
Verified.

Version ::

ipa-server-4.2.0-9.el7.x86_64

Results ::

[root@master ~]# ipa-replica-prepare -p Secret123 --ip-address=192.168.122.100 replica.domain.dne
DNS zone domain.dne does not exist in IPA managed DNS server. Either create DNS zone or omit --ip-address option.
Cannot add DNS record

Comment 14 errata-xmlrpc 2015-11-19 12:03:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html


Note You need to log in before you can comment on or make changes to this bug.