Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1940463

Summary: TLS-e breaks DNS on DCN edge subnets
Product: Red Hat OpenStack Reporter: Ollie Walsh <owalsh>
Component: ansible-tripleo-ipaAssignee: Roger Heslop <rheslop>
Status: CLOSED CURRENTRELEASE QA Contact: Jeremy Agee <jagee>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16.1 (Train)CC: abokovoy, alee, bdobreli, cheimes, chjones, gcharot, owalsh, rheslop, sputhenp
Target Milestone: z7Keywords: Documentation, Triaged, ZStream
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-23 16:12:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ollie Walsh 2021-03-18 13:33:46 UTC 
The default FreeIPA bind config rejects DNS queries from non-local subnets, such as remote sites in an OSP 16 DCN deployments.

From /etc/named.conf:
        // If not explicitly set, the ACLs for "allow-query-cache" and
        // "allow-recursion" are set to "localnets; localhost;".
        // If either "allow-query-cache" or "allow-recursion" is set,
        // the other would be set the same value.
        // Please refer to /etc/named/ipa-ext.conf
        // for more informations


The suggested approach of setting the options in /etc/named/ipa-ext.conf does not work. See https://pagure.io/freeipa/issue/8287.

To workaround this during dev/testing I edited /etc/named.conf to allow any clients e.g:

    options {
      ...
      ...
      ...
      allow-recursion { any; };
      allow-query-cache { any; };
    };


However IIUC this will not persist across FreeIPA upgrades.
Comment 3 Christian Heimes 2021-03-22 18:10:45 UTC 
IPA now has two different named config snippets for customization:

- /etc/named/ipa-options-ext.conf (for options)
- /etc/named/ipa-ext.conf (all other settings)

If "/etc/named/ipa-options-ext.conf" exists, then it's supported.
Comment 4 Ade Lee 2021-03-22 18:34:10 UTC 
Just FYI:

https://pagure.io/freeipa/blob/master/f/install/share/bind.ipa-options-ext.conf.template
https://pagure.io/freeipa/blob/master/f/install/share/bind.ipa-ext.conf.template

Seems like we could add to the trusted networks and set recursion enabled for the trusted_network.

At the very least, once we get this working, we should document this.  But maybe also we can create
a validation to make sure all required config is present.
Comment 5 Ollie Walsh 2021-03-22 20:22:32 UTC 
(In reply to Christian Heimes from comment #3)
> IPA now has two different named config snippets for customization:
> 
> - /etc/named/ipa-options-ext.conf (for options)
> - /etc/named/ipa-ext.conf (all other settings)
> 
> If "/etc/named/ipa-options-ext.conf" exists, then it's supported.

The fix landed in RHEL 8.3/4.8.7 AFAICT.
Comment 6 Ollie Walsh 2021-03-22 21:08:20 UTC 
Chatting with Ade offline: we don't require the same base RHEL version for IPA and OSP so the simplest solution seems to be just recommending RHEL 8.3+
 for the IPA server and documenting how to set the ACLs using the new/fixed approach.
Comment 14 Roger Heslop 2022-02-23 16:12:42 UTC 
This information is documented and available in the current release > https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/distributed_compute_node_and_storage_deployment/assembly_tlse-for-dcn