This service will be undergoing disruptive maintenance at 7:00PM UTC, 2020-01-18. It is expected to last approximately one hour.
Bug 707312 - Add support for loading new zones from LDAP
Summary: Add support for loading new zones from LDAP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 707255
Blocks: 704012
TreeView+ depends on / blocked
 
Reported: 2011-05-24 16:35 UTC by Martin Kosek
Modified: 2015-01-04 23:48 UTC (History)
4 users (show)

Fixed In Version: ipa-2.1.1-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: New DNS zones are not available until the bind process is restarted. Consequence: Whenever a new zone is added all bind servers need to be restarted. Fix: An updated bind-dyndb-ldap package added a zone refresh option that IPA can use to refresh the zone list in DNS. The default setting is 30 seconds. Result: New zones are not immediately available to DNS but a restart is no longer required.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:22:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Martin Kosek 2011-05-24 16:35:44 UTC
Description of problem:
After a dns zone is created with ipa dnszone-add, bind needs to be restarted
before it starts resolving.

When an ipa-dyndb-ldap with automatic zone lookup support is released (BZ 707255), we should integrate it in IPA.

Steps to Reproduce:
1. ipa dnszone-add NEWZONE
2. dig NEWZONE
3.

Actual results:
NEWZONE data are not resolvable until Bind is restarted on the master.

Expected results:
Plugin should reload Bind so that the new zone can be resolved

Additional info:
Upstream ticket for bind-dyndb-ldap:
https://fedorahosted.org/bind-dyndb-ldap/ticket/31

Comment 1 Martin Kosek 2011-05-24 16:36:26 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/826

Comment 6 Jenny Severance 2011-10-05 18:28:34 UTC
is this enough to verify this bug?

# ipa dnszone-add new.jgalipea.redhat.com
Authoritative nameserver: ipaserver.jgalipea.redhat.com
Administrator e-mail address [root.new.jgalipea.redhat.com.]: jgalipea@redhat.com
  Zone name: new.jgalipea.redhat.com
  Authoritative nameserver: ipaserver.jgalipea.redhat.com.
  Administrator e-mail address: jgalipea.redhat.com.
  SOA serial: 2011051001
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE

# dig new.jgalipea.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> new.jgalipea.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53352
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;new.jgalipea.redhat.com.	IN	A

;; AUTHORITY SECTION:
new.jgalipea.redhat.com. 3600	IN	SOA	ipaserver.jgalipea.redhat.com. jgalipea.redhat.com. 2011051001 3600 900 1209600 3600

;; Query time: 2 msec
;; SERVER: 10.16.64.87#53(10.16.64.87)
;; WHEN: Wed Oct  5 14:27:30 2011
;; MSG SIZE  rcvd: 87


version:
ipa-server-2.1.1-4.el6.x86_64

Comment 7 Martin Kosek 2011-10-05 20:34:28 UTC
No. In this case the dig returned you no "ANSWER SECTION", this means that it couldn't resolve the new zone. Automatic loading of DNS zones from LDAP in RHEL is not immediate, LDAP plugin polls every (by default) 30 seconds if there is a new zone. This means that the new zone may not be resolvable for zero to 30 seconds after it is added.

This is how I would verify it:

# rpm -q ipa-server
ipa-server-2.1.1-101.20111004T0103zgita013597.el6.x86_64


This settings can be used to change the default poll value:

# ipa-dns-install --help
...
  --zone-refresh=ZONE_REFRESH
                        A delay between checks for new DNS zones. Defaults to
                        30

Going with the default value:

# ipa-dns-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the FreeIPA Server.

This includes:
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: y
Directory Manager password: 

Do you want to configure DNS forwarders? [yes]: 
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 10.16.255.2
DNS forwarder 10.16.255.2 added
Enter IP address for a DNS forwarder: 
Do you want to configure the reverse zone? [yes]: 
Please specify the reverse zone name [78.16.10.in-addr.arpa.]: 
Using reverse zone 78.16.10.in-addr.arpa.

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.
==============================================================================
Setup complete

	You must make sure these network ports are open:
		TCP Ports:
		  * 53: bind
		UDP Ports:
		  * 53: bind


Check if the zone is resolvable. The easiest way is to check SOA record for the new zone (so that we don't have add some records to the zone):

# dig -t soa new.jgalipea.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.jgalipea.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11962
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;new.jgalipea.redhat.com.	IN	SOA

;; AUTHORITY SECTION:
redhat.com.		0	IN	SOA	s01.rdu.redhat.com. noc.redhat.com. 2011092801 600 1800 604800 600

;; Query time: 24 msec
;; SERVER: 10.16.78.63#53(10.16.78.63)
;; WHEN: Wed Oct  5 16:28:20 2011
;; MSG SIZE  rcvd: 89

The zone is NOT resolvable.


Add the new zone:

# ipa dnszone-add new.jgalipea.redhat.com
Authoritative nameserver: vm-063.idm.lab.bos.redhat.com.
Administrator e-mail address [root.new.jgalipea.redhat.com.]: 
  Zone name: new.jgalipea.redhat.com
  Authoritative nameserver: vm-063.idm.lab.bos.redhat.com.
  Administrator e-mail address: root.new.jgalipea.redhat.com.
  SOA serial: 2011051001
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE


Wait for 30 seconds and try running the dig again:

# dig -t soa new.jgalipea.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.jgalipea.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17880
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;new.jgalipea.redhat.com.	IN	SOA

;; ANSWER SECTION:
new.jgalipea.redhat.com. 86400	IN	SOA	vm-063.idm.lab.bos.redhat.com. root.new.jgalipea.redhat.com. 2011051001 3600 900 1209600 3600

;; AUTHORITY SECTION:
new.jgalipea.redhat.com. 86400	IN	NS	vm-063.idm.lab.bos.redhat.com.

;; ADDITIONAL SECTION:
vm-063.idm.lab.bos.redhat.com. 86400 IN	A	10.16.78.63

;; Query time: 1 msec
;; SERVER: 10.16.78.63#53(10.16.78.63)
;; WHEN: Wed Oct  5 16:28:41 2011
;; MSG SIZE  rcvd: 131


The new zone IS resolvable without nameserver reload.

Comment 8 Rob Crittenden 2011-10-31 19:14:05 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: New DNS zones are not available until the bind process is restarted.
Consequence: Whenever a new zone is added all bind servers need to be restarted.
Fix: An updated bind-dyndb-ldap package added a zone refresh option that IPA can use to refresh the zone list in DNS. The default setting is 30 seconds.
Result: New zones are not immediately available to DNS but a restart is no longer required.

Comment 9 Namita Soman 2011-11-07 12:17:53 UTC
testing

Comment 10 Namita Soman 2011-11-07 12:29:47 UTC
Verified using ipa-server-2.1.3-8.el6.x86_64

dig returned an "ANSWER SECTION", indicating that it could resolve the new zone in 30 sec.

Used steps below to verify:
[root@ipa-master ~]# dig -t soa new.nkrishnan.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.nkrishnan.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38669
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;new.nkrishnan.redhat.com.	IN	SOA

;; AUTHORITY SECTION:
redhat.com.		0	IN	SOA	s01.rdu.redhat.com. noc.redhat.com. 2011110400 600 1800 604800 600

;; Query time: 169 msec
;; SERVER: 10.16.18.127#53(10.16.18.127)
;; WHEN: Mon Nov  7 07:21:29 2011
;; MSG SIZE  rcvd: 90




[root@ipa-master ~]# ipa dnszone-add new.nkrishnan.redhat.com
Authoritative nameserver: ipa-master.testrelm
Administrator e-mail address [root.new.nkrishnan.redhat.com.]: 
  Zone name: new.nkrishnan.redhat.com
  Authoritative nameserver: ipa-master.testrelm.
  Administrator e-mail address: root.new.nkrishnan.redhat.com.
  SOA serial: 2011071101
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE



[root@ipa-master ~]# dig -t soa new.nkrishnan.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.nkrishnan.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39322
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;new.nkrishnan.redhat.com.	IN	SOA

;; ANSWER SECTION:
new.nkrishnan.redhat.com. 86400	IN	SOA	ipa-master.testrelm. root.new.nkrishnan.redhat.com. 2011071101 3600 900 1209600 3600

;; AUTHORITY SECTION:
new.nkrishnan.redhat.com. 86400	IN	NS	ipa-master.testrelm.

;; ADDITIONAL SECTION:
ipa-master.testrelm.	86400	IN	A	10.16.18.127

;; Query time: 1 msec
;; SERVER: 10.16.18.127#53(10.16.18.127)
;; WHEN: Mon Nov  7 07:24:39 2011
;; MSG SIZE  rcvd: 132

Comment 11 errata-xmlrpc 2011-12-06 18:22:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.