Bug 707312
| Summary: | Add support for loading new zones from LDAP | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Martin Kosek <mkosek> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0 | CC: | benl, dpal, jgalipea, nsoman |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.1.1-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: New DNS zones are not available until the bind process is restarted.
Consequence: Whenever a new zone is added all bind servers need to be restarted.
Fix: An updated bind-dyndb-ldap package added a zone refresh option that IPA can use to refresh the zone list in DNS. The default setting is 30 seconds.
Result: New zones are not immediately available to DNS but a restart is no longer required.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 18:22:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 707255 | ||
| Bug Blocks: | 704012 | ||
|
Description
Martin Kosek
2011-05-24 16:35:44 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/826 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/6a2dfde086bdda62964a9737a300818d2ab24a4b ipa-2-1: https://fedorahosted.org/freeipa/changeset/5a495b91dea527f9ac051655e2fd26ca3f9deab5 is this enough to verify this bug? # ipa dnszone-add new.jgalipea.redhat.com Authoritative nameserver: ipaserver.jgalipea.redhat.com Administrator e-mail address [root.new.jgalipea.redhat.com.]: jgalipea Zone name: new.jgalipea.redhat.com Authoritative nameserver: ipaserver.jgalipea.redhat.com. Administrator e-mail address: jgalipea.redhat.com. SOA serial: 2011051001 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE # dig new.jgalipea.redhat.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> new.jgalipea.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53352 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;new.jgalipea.redhat.com. IN A ;; AUTHORITY SECTION: new.jgalipea.redhat.com. 3600 IN SOA ipaserver.jgalipea.redhat.com. jgalipea.redhat.com. 2011051001 3600 900 1209600 3600 ;; Query time: 2 msec ;; SERVER: 10.16.64.87#53(10.16.64.87) ;; WHEN: Wed Oct 5 14:27:30 2011 ;; MSG SIZE rcvd: 87 version: ipa-server-2.1.1-4.el6.x86_64 No. In this case the dig returned you no "ANSWER SECTION", this means that it couldn't resolve the new zone. Automatic loading of DNS zones from LDAP in RHEL is not immediate, LDAP plugin polls every (by default) 30 seconds if there is a new zone. This means that the new zone may not be resolvable for zero to 30 seconds after it is added.
This is how I would verify it:
# rpm -q ipa-server
ipa-server-2.1.1-101.20111004T0103zgita013597.el6.x86_64
This settings can be used to change the default poll value:
# ipa-dns-install --help
...
--zone-refresh=ZONE_REFRESH
A delay between checks for new DNS zones. Defaults to
30
Going with the default value:
# ipa-dns-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: y
Directory Manager password:
Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 10.16.255.2
DNS forwarder 10.16.255.2 added
Enter IP address for a DNS forwarder:
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [78.16.10.in-addr.arpa.]:
Using reverse zone 78.16.10.in-addr.arpa.
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring named:
[1/9]: adding DNS container
[2/9]: setting up our zone
[3/9]: setting up reverse zone
[4/9]: setting up our own record
[5/9]: setting up kerberos principal
[6/9]: setting up named.conf
[7/9]: restarting named
[8/9]: configuring named to start on boot
[9/9]: changing resolv.conf to point to ourselves
done configuring named.
==============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 53: bind
UDP Ports:
* 53: bind
Check if the zone is resolvable. The easiest way is to check SOA record for the new zone (so that we don't have add some records to the zone):
# dig -t soa new.jgalipea.redhat.com
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.jgalipea.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11962
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;new.jgalipea.redhat.com. IN SOA
;; AUTHORITY SECTION:
redhat.com. 0 IN SOA s01.rdu.redhat.com. noc.redhat.com. 2011092801 600 1800 604800 600
;; Query time: 24 msec
;; SERVER: 10.16.78.63#53(10.16.78.63)
;; WHEN: Wed Oct 5 16:28:20 2011
;; MSG SIZE rcvd: 89
The zone is NOT resolvable.
Add the new zone:
# ipa dnszone-add new.jgalipea.redhat.com
Authoritative nameserver: vm-063.idm.lab.bos.redhat.com.
Administrator e-mail address [root.new.jgalipea.redhat.com.]:
Zone name: new.jgalipea.redhat.com
Authoritative nameserver: vm-063.idm.lab.bos.redhat.com.
Administrator e-mail address: root.new.jgalipea.redhat.com.
SOA serial: 2011051001
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Dynamic update: FALSE
Wait for 30 seconds and try running the dig again:
# dig -t soa new.jgalipea.redhat.com
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.jgalipea.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17880
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;new.jgalipea.redhat.com. IN SOA
;; ANSWER SECTION:
new.jgalipea.redhat.com. 86400 IN SOA vm-063.idm.lab.bos.redhat.com. root.new.jgalipea.redhat.com. 2011051001 3600 900 1209600 3600
;; AUTHORITY SECTION:
new.jgalipea.redhat.com. 86400 IN NS vm-063.idm.lab.bos.redhat.com.
;; ADDITIONAL SECTION:
vm-063.idm.lab.bos.redhat.com. 86400 IN A 10.16.78.63
;; Query time: 1 msec
;; SERVER: 10.16.78.63#53(10.16.78.63)
;; WHEN: Wed Oct 5 16:28:41 2011
;; MSG SIZE rcvd: 131
The new zone IS resolvable without nameserver reload.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: New DNS zones are not available until the bind process is restarted.
Consequence: Whenever a new zone is added all bind servers need to be restarted.
Fix: An updated bind-dyndb-ldap package added a zone refresh option that IPA can use to refresh the zone list in DNS. The default setting is 30 seconds.
Result: New zones are not immediately available to DNS but a restart is no longer required.
testing Verified using ipa-server-2.1.3-8.el6.x86_64 dig returned an "ANSWER SECTION", indicating that it could resolve the new zone in 30 sec. Used steps below to verify: [root@ipa-master ~]# dig -t soa new.nkrishnan.redhat.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.nkrishnan.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38669 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;new.nkrishnan.redhat.com. IN SOA ;; AUTHORITY SECTION: redhat.com. 0 IN SOA s01.rdu.redhat.com. noc.redhat.com. 2011110400 600 1800 604800 600 ;; Query time: 169 msec ;; SERVER: 10.16.18.127#53(10.16.18.127) ;; WHEN: Mon Nov 7 07:21:29 2011 ;; MSG SIZE rcvd: 90 [root@ipa-master ~]# ipa dnszone-add new.nkrishnan.redhat.com Authoritative nameserver: ipa-master.testrelm Administrator e-mail address [root.new.nkrishnan.redhat.com.]: Zone name: new.nkrishnan.redhat.com Authoritative nameserver: ipa-master.testrelm. Administrator e-mail address: root.new.nkrishnan.redhat.com. SOA serial: 2011071101 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE [root@ipa-master ~]# dig -t soa new.nkrishnan.redhat.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.nkrishnan.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39322 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;new.nkrishnan.redhat.com. IN SOA ;; ANSWER SECTION: new.nkrishnan.redhat.com. 86400 IN SOA ipa-master.testrelm. root.new.nkrishnan.redhat.com. 2011071101 3600 900 1209600 3600 ;; AUTHORITY SECTION: new.nkrishnan.redhat.com. 86400 IN NS ipa-master.testrelm. ;; ADDITIONAL SECTION: ipa-master.testrelm. 86400 IN A 10.16.18.127 ;; Query time: 1 msec ;; SERVER: 10.16.18.127#53(10.16.18.127) ;; WHEN: Mon Nov 7 07:24:39 2011 ;; MSG SIZE rcvd: 132 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |