Bug 805871 - Incorrect SOA serial number set for forward zone during ipa-server installation.
Incorrect SOA serial number set for forward zone during ipa-server installation.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Adam Tkac
IDM QE LIST
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-22 06:14 EDT by Gowrishankar Rajaiyan
Modified: 2015-05-20 11:19 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 09:52:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gowrishankar Rajaiyan 2012-03-22 06:14:26 EDT
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-5.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. ipa-server-install --setup-dns
2. ipa dnszone-find

Actual results: 
"SOA serial" for forward zone has just "YYYY".

[root@primenova ~]# ipa dnszone-find
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa.
  SOA serial: 2012220301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012         <<<<<<<<<<<<<<<
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------
[root@primenova ~]# 


Expected results:
SOA serial for forward zone after installation should be of the format "YYYMMDDnn".

Additional info:
This is not seen for any new zone created thereafter.

[root@primenova ~]# ipa dnszone-find 
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa.
  SOA serial: 2012220301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: example.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 2012220301       <<<<<<<<<<<<<<
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012          <<<<<<<<<<<<<<<<<
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 3
----------------------------
[root@primenova ~]#
Comment 1 Martin Kosek 2012-03-22 06:31:18 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2573
Comment 3 Gowrishankar Rajaiyan 2012-03-22 07:42:52 EDT
Just observed that "SOA expire" value is trimmed as well.

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012          <<<<<<<<<<<<<<<<<
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209          <<<<<<<<<<<<<<<<<
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
Comment 4 Martin Kosek 2012-03-22 09:50:12 EDT
I found out that this is not really an issue in IPA, it created the forward zone correctly but it got changed by nsupdate/bind-dyndb-ldap backend which is run as a part of ipa-client-install. This can be easily reproduced this way:

# ldapsearch -h localhost -Y GSSAPI -b idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com -s base

# idm.lab.bos.redhat.com, dns, idm.lab.bos.redhat.com
dn: idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
 om
idnsZoneActive: TRUE
nSRecord: vm-068.idm.lab.bos.redhat.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant IDM.LAB.BO
 S.REDHAT.COM krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP
 ;
idnsSOArefresh: 3600
idnsName: idm.lab.bos.redhat.com
idnsAllowDynUpdate: TRUE
idnsSOAmName: vm-068.idm.lab.bos.redhat.com.
idnsSOArName: hostmaster.idm.lab.bos.redhat.com.
idnsAllowQuery: any;
idnsSOAexpire: 1209100       <<<<<<
idnsSOAserial: 2014032201    <<<<<<

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

# cat /tmp/nsupdate.txt 
zone idm.lab.bos.redhat.com.
update delete vm-068.idm.lab.bos.redhat.com. IN SSHFP
send
update add vm-068.idm.lab.bos.redhat.com. 1200 IN SSHFP 1 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
update add vm-068.idm.lab.bos.redhat.com. 1200 IN SSHFP 2 1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
send

# /usr/bin/kinit -k -t /etc/krb5.keytab host/vm-068.idm.lab.bos.redhat.com

# /usr/bin/nsupdate -g /tmp/nsupdate.txt

# ldapsearch -h localhost -Y GSSAPI -b idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com -s base

# idm.lab.bos.redhat.com, dns, idm.lab.bos.redhat.com
dn: idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
 om
idnsZoneActive: TRUE
nSRecord: vm-068.idm.lab.bos.redhat.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant IDM.LAB.BO
 S.REDHAT.COM krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP
 ;
idnsSOArefresh: 3600
idnsName: idm.lab.bos.redhat.com
idnsAllowDynUpdate: TRUE
idnsSOAmName: vm-068.idm.lab.bos.redhat.com.
idnsSOArName: hostmaster.idm.lab.bos.redhat.com.
idnsAllowQuery: any;
idnsSOAexpire: 1209    <<<<<
idnsSOAserial: 2015    <<<<<

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
Comment 6 Petr Spacek 2012-03-23 08:20:38 EDT
LDAP plugin part fixed upstream:
https://fedorahosted.org/bind-dyndb-ldap/changeset/709e352e52141eac346139666483b5c5f5acd713

Wrong initial value has to be fixed in IPA.
Comment 9 Gowrishankar Rajaiyan 2012-03-27 06:11:40 EDT
1. ipa-server-install --setup-dns
2. ipa dnszone-find
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa.
  SOA serial: 2012270301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012270302
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

[root@primenova ~]# cat nsupdate.txt 
zone lab.eng.pnq.redhat.com.
update delete primenova.lab.eng.pnq.redhat.com. IN SSHFP
send
update add primenova.lab.eng.pnq.redhat.com. 1200 IN SSHFP 1 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
update add primenova.lab.eng.pnq.redhat.com. 1200 IN SSHFP 2 1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
send
[root@primenova ~]# 

[root@primenova ~]# nsupdate -g nsupdate.txt 
[root@primenova ~]#

[root@primenova ~]# ipa dnsrecord-show lab.eng.pnq.redhat.com primenova
  Record name: primenova
  A record: 10.65.201.100
  SSHFP record: 1 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, 2 1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
[root@primenova ~]# 


[root@primenova ~]# ipa dnszone-find
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa.
  SOA serial: 2012270301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012270304
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------
[root@primenova ~]# 

Version:
ipa-server-2.2.0-5.el6.x86_64
bind-9.8.2-0.6.rc1.el6.x86_64
bind-dyndb-ldap-1.1.0-0.5.b1.el6.x86_64
Comment 11 errata-xmlrpc 2012-06-20 09:52:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0837.html

Note You need to log in before you can comment on or make changes to this bug.