1940463 – TLS-e breaks DNS on DCN edge subnets

Bug 1940463 - TLS-e breaks DNS on DCN edge subnets

Summary: TLS-e breaks DNS on DCN edge subnets

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	ansible-tripleo-ipa
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	z7
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Roger Heslop
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-18 13:33 UTC by Ollie Walsh
Modified:	2022-02-23 16:16 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-02-23 16:12:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-319	0	None	None	None	2022-02-23 16:16:00 UTC

Description Ollie Walsh 2021-03-18 13:33:46 UTC

The default FreeIPA bind config rejects DNS queries from non-local subnets, such as remote sites in an OSP 16 DCN deployments.

From /etc/named.conf:
        // If not explicitly set, the ACLs for "allow-query-cache" and
        // "allow-recursion" are set to "localnets; localhost;".
        // If either "allow-query-cache" or "allow-recursion" is set,
        // the other would be set the same value.
        // Please refer to /etc/named/ipa-ext.conf
        // for more informations


The suggested approach of setting the options in /etc/named/ipa-ext.conf does not work. See https://pagure.io/freeipa/issue/8287.

To workaround this during dev/testing I edited /etc/named.conf to allow any clients e.g:

    options {
      ...
      ...
      ...
      allow-recursion { any; };
      allow-query-cache { any; };
    };


However IIUC this will not persist across FreeIPA upgrades.

Comment 3 Christian Heimes 2021-03-22 18:10:45 UTC

IPA now has two different named config snippets for customization:

- /etc/named/ipa-options-ext.conf (for options)
- /etc/named/ipa-ext.conf (all other settings)

If "/etc/named/ipa-options-ext.conf" exists, then it's supported.

Comment 4 Ade Lee 2021-03-22 18:34:10 UTC

Just FYI:

https://pagure.io/freeipa/blob/master/f/install/share/bind.ipa-options-ext.conf.template
https://pagure.io/freeipa/blob/master/f/install/share/bind.ipa-ext.conf.template

Seems like we could add to the trusted networks and set recursion enabled for the trusted_network.

At the very least, once we get this working, we should document this.  But maybe also we can create
a validation to make sure all required config is present.

Comment 5 Ollie Walsh 2021-03-22 20:22:32 UTC

(In reply to Christian Heimes from comment #3)
> IPA now has two different named config snippets for customization:
> 
> - /etc/named/ipa-options-ext.conf (for options)
> - /etc/named/ipa-ext.conf (all other settings)
> 
> If "/etc/named/ipa-options-ext.conf" exists, then it's supported.

The fix landed in RHEL 8.3/4.8.7 AFAICT.

Comment 6 Ollie Walsh 2021-03-22 21:08:20 UTC

Chatting with Ade offline: we don't require the same base RHEL version for IPA and OSP so the simplest solution seems to be just recommending RHEL 8.3+
 for the IPA server and documenting how to set the ACLs using the new/fixed approach.

Comment 14 Roger Heslop 2022-02-23 16:12:42 UTC

This information is documented and available in the current release > https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/distributed_compute_node_and_storage_deployment/assembly_tlse-for-dcn

Note You need to log in before you can comment on or make changes to this bug.