785883 – check DNS records before updates

Bug 785883 - check DNS records before updates

Summary: check DNS records before updates

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-30 20:23 UTC by Stephen Gallagher
Modified:	2020-05-02 16:18 UTC (History)
CC List:	4 users (show)
Fixed In Version:	sssd-1.8.0-2.el6.beta2
Doc Type:	Bug Fix
Doc Text:	No documentation needed
Clone Of:
Environment:
Last Closed:	2012-06-20 11:54:24 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 1844	0	None	closed	check DNS records before updates	2020-05-02 16:18:58 UTC
Red Hat Product Errata	RHBA-2012:0747	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2012-06-19 19:31:43 UTC

Description Stephen Gallagher 2012-01-30 20:23:13 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/802

Although ipa_dyndns_update is really an awesome feature, it occurred to me that it always unconditionally attempts an update even if the record is already correct.

It would be advisable to verify an update is actually needed before performing it, because modification of the DNS tables is not free of cost and should be avoided when not necessary.

In the ipa case it increases the amount of ldap data that needs to be replicated around, and may cause slave DNS servers to notice a new serial and perform zone transfers even when not really needed.

Comment 1 Jenny Severance 2012-01-30 20:59:38 UTC

please add steps to verify/reproduce this issue. thanks

Comment 2 Jakub Hrozek 2012-02-02 13:48:04 UTC

(In reply to comment #1)
> please add steps to verify/reproduce this issue. thanks

I should respond because I was the one who actually implemented the feature.

With the old packages:
Restart sssd, log in as an IPA user to trigger an online action. Even though the IP address of the client didn't change, the logs should indicate that the nsupdate was performed.

With the new packages:
Restart sssd, log in as an IPA user to trigger an online action. The logs should indicate that the address did not change and hence no update is needed. The message you are looking for is a level-6 DEBUG message that says "No DNS update needed, addresses did not change".

Comment 5 Jakub Hrozek 2012-04-03 18:14:40 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed

Comment 6 Gowrishankar Rajaiyan 2012-04-09 13:52:46 UTC

Before fix: sssd-1.5.1-66.el6_2.3.x86_64

[domain/lab.eng.pnq.redhat.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = skyfire.lab.eng.pnq.redhat.com
chpass_provider = ipa
ipa_server = skyfire.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9
ipa_dyndns_update = True


[root@skyfire ~]# ssh -l shanks $HOSTNAME
shanks.eng.pnq.redhat.com's password: 
Last login: Mon Apr  9 16:06:51 2012 from skyfire.lab.eng.pnq.redhat.com
-sh-4.1$ 

Relevant sssd domain logs:
(Mon Apr  9 16:07:46 2012) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_dyndns_update_send] (9): Performing update
(Mon Apr  9 16:07:46 2012) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_dyndns_stdin_done] (9): Sending nsupdate data complete
(Mon Apr  9 16:07:46 2012) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_dyndns_child_handler] (1): Dynamic DNS child failed with status [256]
(Mon Apr  9 16:07:46 2012) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_dyndns_gss_tsig_update_done] (9): nsupdate failed, retrying with server name.
(Mon Apr  9 16:07:46 2012) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_dyndns_stdin_done] (9): Sending nsupdate data complete
(Mon Apr  9 16:08:01 2012) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_dyndns_timeout] (1): Timeout reached for dynamic DNS update
(Mon Apr  9 16:08:01 2012) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_dyndns_update_done] (1): Updating DNS entry failed




After fix: sssd-1.8.0-20.el6.x86_64

[domain/lab.eng.pnq.redhat.com]
debug_level = 6
ipa_dyndns_update = True
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = primenova.lab.eng.pnq.redhat.com
chpass_provider = ipa
ipa_server = primenova.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt


[root@primenova ~]# ssh -l shanks $HOSTNAME
shanks.eng.pnq.redhat.com's password: 
Last login: Mon Apr  9 07:19:25 2012 from primenova.lab.eng.pnq.redhat.com
-sh-4.1$ 


Relevant sssd domain logs:
(Mon Apr  9 07:19:59 2012) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_dyndns_gss_tsig_update_check] (0x0400): No DNS update needed, addresses did not change
(Mon Apr  9 07:19:59 2012) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_dyndns_update_done] (0x0020): DNS update finished


Verified: sssd-1.8.0-20.el6.x86_64

Comment 8 errata-xmlrpc 2012-06-20 11:54:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html

Note You need to log in before you can comment on or make changes to this bug.