Red Hat Bugzilla – Bug 707312
Add support for loading new zones from LDAP
Last modified: 2015-01-04 18:48:51 EST
Description of problem: After a dns zone is created with ipa dnszone-add, bind needs to be restarted before it starts resolving. When an ipa-dyndb-ldap with automatic zone lookup support is released (BZ 707255), we should integrate it in IPA. Steps to Reproduce: 1. ipa dnszone-add NEWZONE 2. dig NEWZONE 3. Actual results: NEWZONE data are not resolvable until Bind is restarted on the master. Expected results: Plugin should reload Bind so that the new zone can be resolved Additional info: Upstream ticket for bind-dyndb-ldap: https://fedorahosted.org/bind-dyndb-ldap/ticket/31
Upstream ticket: https://fedorahosted.org/freeipa/ticket/826
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/6a2dfde086bdda62964a9737a300818d2ab24a4b ipa-2-1: https://fedorahosted.org/freeipa/changeset/5a495b91dea527f9ac051655e2fd26ca3f9deab5
is this enough to verify this bug? # ipa dnszone-add new.jgalipea.redhat.com Authoritative nameserver: ipaserver.jgalipea.redhat.com Administrator e-mail address [root.new.jgalipea.redhat.com.]: jgalipea@redhat.com Zone name: new.jgalipea.redhat.com Authoritative nameserver: ipaserver.jgalipea.redhat.com. Administrator e-mail address: jgalipea.redhat.com. SOA serial: 2011051001 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE # dig new.jgalipea.redhat.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> new.jgalipea.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53352 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;new.jgalipea.redhat.com. IN A ;; AUTHORITY SECTION: new.jgalipea.redhat.com. 3600 IN SOA ipaserver.jgalipea.redhat.com. jgalipea.redhat.com. 2011051001 3600 900 1209600 3600 ;; Query time: 2 msec ;; SERVER: 10.16.64.87#53(10.16.64.87) ;; WHEN: Wed Oct 5 14:27:30 2011 ;; MSG SIZE rcvd: 87 version: ipa-server-2.1.1-4.el6.x86_64
No. In this case the dig returned you no "ANSWER SECTION", this means that it couldn't resolve the new zone. Automatic loading of DNS zones from LDAP in RHEL is not immediate, LDAP plugin polls every (by default) 30 seconds if there is a new zone. This means that the new zone may not be resolvable for zero to 30 seconds after it is added. This is how I would verify it: # rpm -q ipa-server ipa-server-2.1.1-101.20111004T0103zgita013597.el6.x86_64 This settings can be used to change the default poll value: # ipa-dns-install --help ... --zone-refresh=ZONE_REFRESH A delay between checks for new DNS zones. Defaults to 30 Going with the default value: # ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Directory Manager password: Do you want to configure DNS forwarders? [yes]: Enter the IP address of DNS forwarder to use, or press Enter to finish. Enter IP address for a DNS forwarder: 10.16.255.2 DNS forwarder 10.16.255.2 added Enter IP address for a DNS forwarder: Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [78.16.10.in-addr.arpa.]: Using reverse zone 78.16.10.in-addr.arpa. The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. ============================================================================== Setup complete You must make sure these network ports are open: TCP Ports: * 53: bind UDP Ports: * 53: bind Check if the zone is resolvable. The easiest way is to check SOA record for the new zone (so that we don't have add some records to the zone): # dig -t soa new.jgalipea.redhat.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.jgalipea.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11962 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;new.jgalipea.redhat.com. IN SOA ;; AUTHORITY SECTION: redhat.com. 0 IN SOA s01.rdu.redhat.com. noc.redhat.com. 2011092801 600 1800 604800 600 ;; Query time: 24 msec ;; SERVER: 10.16.78.63#53(10.16.78.63) ;; WHEN: Wed Oct 5 16:28:20 2011 ;; MSG SIZE rcvd: 89 The zone is NOT resolvable. Add the new zone: # ipa dnszone-add new.jgalipea.redhat.com Authoritative nameserver: vm-063.idm.lab.bos.redhat.com. Administrator e-mail address [root.new.jgalipea.redhat.com.]: Zone name: new.jgalipea.redhat.com Authoritative nameserver: vm-063.idm.lab.bos.redhat.com. Administrator e-mail address: root.new.jgalipea.redhat.com. SOA serial: 2011051001 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE Wait for 30 seconds and try running the dig again: # dig -t soa new.jgalipea.redhat.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.jgalipea.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17880 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;new.jgalipea.redhat.com. IN SOA ;; ANSWER SECTION: new.jgalipea.redhat.com. 86400 IN SOA vm-063.idm.lab.bos.redhat.com. root.new.jgalipea.redhat.com. 2011051001 3600 900 1209600 3600 ;; AUTHORITY SECTION: new.jgalipea.redhat.com. 86400 IN NS vm-063.idm.lab.bos.redhat.com. ;; ADDITIONAL SECTION: vm-063.idm.lab.bos.redhat.com. 86400 IN A 10.16.78.63 ;; Query time: 1 msec ;; SERVER: 10.16.78.63#53(10.16.78.63) ;; WHEN: Wed Oct 5 16:28:41 2011 ;; MSG SIZE rcvd: 131 The new zone IS resolvable without nameserver reload.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: New DNS zones are not available until the bind process is restarted. Consequence: Whenever a new zone is added all bind servers need to be restarted. Fix: An updated bind-dyndb-ldap package added a zone refresh option that IPA can use to refresh the zone list in DNS. The default setting is 30 seconds. Result: New zones are not immediately available to DNS but a restart is no longer required.
testing
Verified using ipa-server-2.1.3-8.el6.x86_64 dig returned an "ANSWER SECTION", indicating that it could resolve the new zone in 30 sec. Used steps below to verify: [root@ipa-master ~]# dig -t soa new.nkrishnan.redhat.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.nkrishnan.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38669 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;new.nkrishnan.redhat.com. IN SOA ;; AUTHORITY SECTION: redhat.com. 0 IN SOA s01.rdu.redhat.com. noc.redhat.com. 2011110400 600 1800 604800 600 ;; Query time: 169 msec ;; SERVER: 10.16.18.127#53(10.16.18.127) ;; WHEN: Mon Nov 7 07:21:29 2011 ;; MSG SIZE rcvd: 90 [root@ipa-master ~]# ipa dnszone-add new.nkrishnan.redhat.com Authoritative nameserver: ipa-master.testrelm Administrator e-mail address [root.new.nkrishnan.redhat.com.]: Zone name: new.nkrishnan.redhat.com Authoritative nameserver: ipa-master.testrelm. Administrator e-mail address: root.new.nkrishnan.redhat.com. SOA serial: 2011071101 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE [root@ipa-master ~]# dig -t soa new.nkrishnan.redhat.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.nkrishnan.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39322 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;new.nkrishnan.redhat.com. IN SOA ;; ANSWER SECTION: new.nkrishnan.redhat.com. 86400 IN SOA ipa-master.testrelm. root.new.nkrishnan.redhat.com. 2011071101 3600 900 1209600 3600 ;; AUTHORITY SECTION: new.nkrishnan.redhat.com. 86400 IN NS ipa-master.testrelm. ;; ADDITIONAL SECTION: ipa-master.testrelm. 86400 IN A 10.16.18.127 ;; Query time: 1 msec ;; SERVER: 10.16.18.127#53(10.16.18.127) ;; WHEN: Mon Nov 7 07:24:39 2011 ;; MSG SIZE rcvd: 132
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html