1488732 – fake_mname in named.conf is no longer effective

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1488732 - fake_mname in named.conf is no longer effective

Summary: fake_mname in named.conf is no longer effective

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	bind-dyndb-ldap
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Alexander Bokovoy
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-06 06:56 UTC by Martin Kosek
Modified:	2020-12-14 09:53 UTC (History)
CC List:	8 users (show)
Fixed In Version:	bind-dyndb-ldap-11.3-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 02:50:13 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin Kosek 2017-09-06 06:56:46 UTC

Description of problem:

Based on what I read in
https://pagure.io/bind-dyndb-ldap
I see:

...
5.1 Configuration options
...
5.1.2 Special DNS features
...
* fake_mname: Ignore value of the idnsSOAmName (primary master DNS name)
attribute and use this value instead. This allows multiple BIND
processes to share one LDAP database and every BIND reports itself as a
primary master in SOA record, for example.


I set it in my RHEL-7.4 setup and following named.conf configuration:

# tail /etc/named.conf

dyndb "ipa" "/usr/lib64/bind/ldap.so" {
	uri "ldapi://%2fvar%2frun%2fslapd-RHEL75.socket";
	base "cn=dns, dc=rhel75";
	server_id "ipa.rhel75";
	auth_method "sasl";
	sasl_mech "GSSAPI";
	sasl_user "DNS/ipa.rhel75";
	fake_mname "reachable.master.test";
};

... Then I restarted the daemon:

# service named-pkcs11 restart
Redirecting to /bin/systemctl restart named-pkcs11.service

... and read the SOA:

# dig +short -t SOA rhel75.
ipa.rhel75. hostmaster.rhel75. 1504619143 3600 900 1209600 3600

... fake_mname seemed ineffective.

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7.x86_64
bind-dyndb-ldap-11.1-4.el7.x86_64
bind-pkcs11-9.9.4-51.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IdM with DNS component
2. Set fake_mname in named.conf as shown above
3. Restart named-pkcs11.service
4. Check if MNAME part of SOA is updated

Actual results:
It is not updated with fake_mname.

Expected results:
It should be updated.

Additional info:
I expect this would become either a documentation or software fix.

Comment 1 Martin Kosek 2017-09-06 06:58:47 UTC

Thorsten Scherf tested this scenario with a RHEL-7.3 system with following conf:

$ grep -A4 dynamic-db /etc/named.conf
dynamic-db "ipa" {
    library "ldap.so";
    arg "uri ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket";
    arg "base cn=dns, dc=domain,dc=com";
    arg "fake_mname vm-96.domain.com.";

And it worked for him.

Comment 6 Mohammad Rizwan 2018-01-04 14:16:52 UTC

[root@vm-idm-031 ~]# cat /etc/named.conf
.
.
dyndb "ipa" "/usr/lib64/bind/ldap.so" {
	uri "ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket";
	base "cn=dns, dc=testrelm,dc=test";
	server_id "master.testrelm.test";
	auth_method "sasl";
	sasl_mech "GSSAPI";
	sasl_user "DNS/master.testrelm.test";
	fake_mname "reachable.master.test";
};
[root@vm-idm-031 ~]# systemctl restart named-pkcs11
[root@vm-idm-031 ~]# dig +short -t SOA testrelm.test.
master.testrelm.test. hostmaster.testrelm.test. 1515074331 3600 900 1209600 3600
[root@vm-idm-031 ~]# dig +short -t SOA master.test.
[root@vm-idm-031 ~]# 
[root@vm-idm-031 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.5 Beta (Maipo)

Comment 8 Petr Vobornik 2018-01-04 16:46:49 UTC

As part of DNS Locations https://pagure.io/freeipa/issue/2008 it is possible to configure it in LDAP in per DNS server configuration.

design page:
* https://docs.pagure.org/bind-dyndb-ldap/Design/PerServerConfigInLDAP.html
* https://www.freeipa.org/page/V4/DNS_Location_Mechanism#DNS_server_configuration
doc: https://pagure.io/bind-dyndb-ldap

Can be set in CLI by:

$ ipa dnsserver-mod ipa.myipa.test --soa-mname-override fake.myipa.test.

dig +short  -t SOA myipa.test
fake.myipa.test. hostmaster.myipa.test. 1515083621 3600 900 1209600 3600

Setting fake_mname in /etc/named.conf didn't work for me as well but that is expected as /etc/named.conf has lower priority than the LDAP entry according to design page:

"""
Priority order for configuration

Highest priority is on top:

    DNS zone: idnsZone entry
        SOA MNAME is an exception - server’s config overrides zone’s config
    per-server config in LDAP: idnsServerConfig entry
    global config in LDAP: idnsConfig entry
    per-server config on disk: named.conf
    built-in defaults
"""

Migration should be handled as well:

"""
Upgrade

Following options from named.conf should be migrated to newly created idnsServerConfigObject during IPA upgrade:

    fake_mname -> idnsSOAMName
    forward -> idnsForwardPolicy
    forwarders -> idnsForwarders

At the same time, named.conf needs to be updated to contain server_id option equal to FreeIPA server’s FQDN without trailing period (for consistency with names used in cn=masters).
"""

I did not test the upgrade though.

The only thing to improve I see is bind-dyndb-ldap documentation which doesn't mention the priorities (it is only on the design page).

Comment 11 Alexander Bokovoy 2019-03-13 12:22:27 UTC

I committed a documentation update upstream with https://pagure.io/bind-dyndb-ldap/pull-request/178 to clarify the order priorities after checking it out on a test deployment and also with one of upstream users.

Clarification from freeipa-users@ can be seen at https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/UKMCM5I42M4NS3BLR7T5VH2XHGTA4QE6/

Comment 13 Florence Blanc-Renaud 2020-02-14 14:48:49 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL8.

Comment 18 Kaleem 2020-08-06 08:05:49 UTC

Verified.  Following is the snippets picked from runner.log

IPA Version:

2020-08-06T07:29:40+0000 ok: [master.testrealm.test] => (item=ipa-server) => 
2020-08-06T07:29:40+0000   msg:
2020-08-06T07:29:40+0000   - arch: x86_64
2020-08-06T07:29:40+0000     epoch: null
2020-08-06T07:29:40+0000     name: ipa-server
2020-08-06T07:29:40+0000     release: 8.module+el8.3.0+7513+a375844a
2020-08-06T07:29:40+0000     source: rpm
2020-08-06T07:29:40+0000     version: 4.8.7

pytest summary 

2020-08-06T07:39:52+0000 ------------------ generated xml file: /tmp/wp/twd/junit.xml -------------------
2020-08-06T07:39:52+0000 ------------- generated html file: file:///tmp/wp/twd/report.html --------------
2020-08-06T07:39:52+0000 ==================== 1 passed, 1 warnings in 515.40 seconds ====================

Comment 19 Florence Blanc-Renaud 2020-08-06 16:44:54 UTC

Test added upstream:
master:
https://pagure.io/freeipa/c/592f3fe65986077ec0a19158d061a371c86307c7

Comment 20 Florence Blanc-Renaud 2020-08-07 10:40:57 UTC

Test added upstream:
ipa-4-8:
https://pagure.io/freeipa/c/b93f2a70d09f44a64a320ad558c76536e9b625ad

Comment 23 errata-xmlrpc 2020-11-04 02:50:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670

Note You need to log in before you can comment on or make changes to this bug.