707312 – Add support for loading new zones from LDAP

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 707312 - Add support for loading new zones from LDAP

Summary: Add support for loading new zones from LDAP

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:	707255
Blocks:	704012
TreeView+	depends on / blocked

Reported:	2011-05-24 16:35 UTC by Martin Kosek
Modified:	2015-01-04 23:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-2.1.1-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: New DNS zones are not available until the bind process is restarted. Consequence: Whenever a new zone is added all bind servers need to be restarted. Fix: An updated bind-dyndb-ldap package added a zone refresh option that IPA can use to refresh the zone list in DNS. The default setting is 30 seconds. Result: New zones are not immediately available to DNS but a restart is no longer required.
Clone Of:
Environment:
Last Closed:	2011-12-06 18:22:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Martin Kosek 2011-05-24 16:35:44 UTC

Description of problem:
After a dns zone is created with ipa dnszone-add, bind needs to be restarted
before it starts resolving.

When an ipa-dyndb-ldap with automatic zone lookup support is released (BZ 707255), we should integrate it in IPA.

Steps to Reproduce:
1. ipa dnszone-add NEWZONE
2. dig NEWZONE
3.

Actual results:
NEWZONE data are not resolvable until Bind is restarted on the master.

Expected results:
Plugin should reload Bind so that the new zone can be resolved

Additional info:
Upstream ticket for bind-dyndb-ldap:
https://fedorahosted.org/bind-dyndb-ldap/ticket/31

Comment 1 Martin Kosek 2011-05-24 16:36:26 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/826

Comment 2 Martin Kosek 2011-08-31 14:47:54 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/6a2dfde086bdda62964a9737a300818d2ab24a4b
ipa-2-1: https://fedorahosted.org/freeipa/changeset/5a495b91dea527f9ac051655e2fd26ca3f9deab5

Comment 6 Jenny Severance 2011-10-05 18:28:34 UTC

is this enough to verify this bug?

# ipa dnszone-add new.jgalipea.redhat.com
Authoritative nameserver: ipaserver.jgalipea.redhat.com
Administrator e-mail address [root.new.jgalipea.redhat.com.]: jgalipea
  Zone name: new.jgalipea.redhat.com
  Authoritative nameserver: ipaserver.jgalipea.redhat.com.
  Administrator e-mail address: jgalipea.redhat.com.
  SOA serial: 2011051001
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE

# dig new.jgalipea.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> new.jgalipea.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53352
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;new.jgalipea.redhat.com.	IN	A

;; AUTHORITY SECTION:
new.jgalipea.redhat.com. 3600	IN	SOA	ipaserver.jgalipea.redhat.com. jgalipea.redhat.com. 2011051001 3600 900 1209600 3600

;; Query time: 2 msec
;; SERVER: 10.16.64.87#53(10.16.64.87)
;; WHEN: Wed Oct  5 14:27:30 2011
;; MSG SIZE  rcvd: 87


version:
ipa-server-2.1.1-4.el6.x86_64

Comment 7 Martin Kosek 2011-10-05 20:34:28 UTC

No. In this case the dig returned you no "ANSWER SECTION", this means that it couldn't resolve the new zone. Automatic loading of DNS zones from LDAP in RHEL is not immediate, LDAP plugin polls every (by default) 30 seconds if there is a new zone. This means that the new zone may not be resolvable for zero to 30 seconds after it is added.

This is how I would verify it:

# rpm -q ipa-server
ipa-server-2.1.1-101.20111004T0103zgita013597.el6.x86_64


This settings can be used to change the default poll value:

# ipa-dns-install --help
...
  --zone-refresh=ZONE_REFRESH
                        A delay between checks for new DNS zones. Defaults to
                        30

Going with the default value:

# ipa-dns-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the FreeIPA Server.

This includes:
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: y
Directory Manager password: 

Do you want to configure DNS forwarders? [yes]: 
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 10.16.255.2
DNS forwarder 10.16.255.2 added
Enter IP address for a DNS forwarder: 
Do you want to configure the reverse zone? [yes]: 
Please specify the reverse zone name [78.16.10.in-addr.arpa.]: 
Using reverse zone 78.16.10.in-addr.arpa.

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.
==============================================================================
Setup complete

	You must make sure these network ports are open:
		TCP Ports:
		  * 53: bind
		UDP Ports:
		  * 53: bind


Check if the zone is resolvable. The easiest way is to check SOA record for the new zone (so that we don't have add some records to the zone):

# dig -t soa new.jgalipea.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.jgalipea.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11962
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;new.jgalipea.redhat.com.	IN	SOA

;; AUTHORITY SECTION:
redhat.com.		0	IN	SOA	s01.rdu.redhat.com. noc.redhat.com. 2011092801 600 1800 604800 600

;; Query time: 24 msec
;; SERVER: 10.16.78.63#53(10.16.78.63)
;; WHEN: Wed Oct  5 16:28:20 2011
;; MSG SIZE  rcvd: 89

The zone is NOT resolvable.


Add the new zone:

# ipa dnszone-add new.jgalipea.redhat.com
Authoritative nameserver: vm-063.idm.lab.bos.redhat.com.
Administrator e-mail address [root.new.jgalipea.redhat.com.]: 
  Zone name: new.jgalipea.redhat.com
  Authoritative nameserver: vm-063.idm.lab.bos.redhat.com.
  Administrator e-mail address: root.new.jgalipea.redhat.com.
  SOA serial: 2011051001
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE


Wait for 30 seconds and try running the dig again:

# dig -t soa new.jgalipea.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.jgalipea.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17880
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;new.jgalipea.redhat.com.	IN	SOA

;; ANSWER SECTION:
new.jgalipea.redhat.com. 86400	IN	SOA	vm-063.idm.lab.bos.redhat.com. root.new.jgalipea.redhat.com. 2011051001 3600 900 1209600 3600

;; AUTHORITY SECTION:
new.jgalipea.redhat.com. 86400	IN	NS	vm-063.idm.lab.bos.redhat.com.

;; ADDITIONAL SECTION:
vm-063.idm.lab.bos.redhat.com. 86400 IN	A	10.16.78.63

;; Query time: 1 msec
;; SERVER: 10.16.78.63#53(10.16.78.63)
;; WHEN: Wed Oct  5 16:28:41 2011
;; MSG SIZE  rcvd: 131


The new zone IS resolvable without nameserver reload.

Comment 8 Rob Crittenden 2011-10-31 19:14:05 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: New DNS zones are not available until the bind process is restarted.
Consequence: Whenever a new zone is added all bind servers need to be restarted.
Fix: An updated bind-dyndb-ldap package added a zone refresh option that IPA can use to refresh the zone list in DNS. The default setting is 30 seconds.
Result: New zones are not immediately available to DNS but a restart is no longer required.

Comment 9 Namita Soman 2011-11-07 12:17:53 UTC

testing

Comment 10 Namita Soman 2011-11-07 12:29:47 UTC

Verified using ipa-server-2.1.3-8.el6.x86_64

dig returned an "ANSWER SECTION", indicating that it could resolve the new zone in 30 sec.

Used steps below to verify:
[root@ipa-master ~]# dig -t soa new.nkrishnan.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.nkrishnan.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38669
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;new.nkrishnan.redhat.com.	IN	SOA

;; AUTHORITY SECTION:
redhat.com.		0	IN	SOA	s01.rdu.redhat.com. noc.redhat.com. 2011110400 600 1800 604800 600

;; Query time: 169 msec
;; SERVER: 10.16.18.127#53(10.16.18.127)
;; WHEN: Mon Nov  7 07:21:29 2011
;; MSG SIZE  rcvd: 90




[root@ipa-master ~]# ipa dnszone-add new.nkrishnan.redhat.com
Authoritative nameserver: ipa-master.testrelm
Administrator e-mail address [root.new.nkrishnan.redhat.com.]: 
  Zone name: new.nkrishnan.redhat.com
  Authoritative nameserver: ipa-master.testrelm.
  Administrator e-mail address: root.new.nkrishnan.redhat.com.
  SOA serial: 2011071101
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE



[root@ipa-master ~]# dig -t soa new.nkrishnan.redhat.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-7.P3.el6 <<>> -t soa new.nkrishnan.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39322
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;new.nkrishnan.redhat.com.	IN	SOA

;; ANSWER SECTION:
new.nkrishnan.redhat.com. 86400	IN	SOA	ipa-master.testrelm. root.new.nkrishnan.redhat.com. 2011071101 3600 900 1209600 3600

;; AUTHORITY SECTION:
new.nkrishnan.redhat.com. 86400	IN	NS	ipa-master.testrelm.

;; ADDITIONAL SECTION:
ipa-master.testrelm.	86400	IN	A	10.16.18.127

;; Query time: 1 msec
;; SERVER: 10.16.18.127#53(10.16.18.127)
;; WHEN: Mon Nov  7 07:24:39 2011
;; MSG SIZE  rcvd: 132

Comment 11 errata-xmlrpc 2011-12-06 18:22:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.