Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.2.0-5.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. ipa-server-install --setup-dns 2. ipa dnszone-find Actual results: "SOA serial" for forward zone has just "YYYY". [root@primenova ~]# ipa dnszone-find Zone name: 201.65.10.in-addr.arpa. Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa. SOA serial: 2012220301 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: lab.eng.pnq.redhat.com Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com. SOA serial: 2012 <<<<<<<<<<<<<<< SOA refresh: 3600 SOA retry: 900 SOA expire: 1209 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 2 ---------------------------- [root@primenova ~]# Expected results: SOA serial for forward zone after installation should be of the format "YYYMMDDnn". Additional info: This is not seen for any new zone created thereafter. [root@primenova ~]# ipa dnszone-find Zone name: 201.65.10.in-addr.arpa. Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa. SOA serial: 2012220301 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: example.com Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 2012220301 <<<<<<<<<<<<<< SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: lab.eng.pnq.redhat.com Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com. SOA serial: 2012 <<<<<<<<<<<<<<<<< SOA refresh: 3600 SOA retry: 900 SOA expire: 1209 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 3 ---------------------------- [root@primenova ~]#
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2573
Just observed that "SOA expire" value is trimmed as well. Zone name: lab.eng.pnq.redhat.com Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com. SOA serial: 2012 <<<<<<<<<<<<<<<<< SOA refresh: 3600 SOA retry: 900 SOA expire: 1209 <<<<<<<<<<<<<<<<< SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none;
I found out that this is not really an issue in IPA, it created the forward zone correctly but it got changed by nsupdate/bind-dyndb-ldap backend which is run as a part of ipa-client-install. This can be easily reproduced this way: # ldapsearch -h localhost -Y GSSAPI -b idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com -s base # idm.lab.bos.redhat.com, dns, idm.lab.bos.redhat.com dn: idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om idnsZoneActive: TRUE nSRecord: vm-068.idm.lab.bos.redhat.com. objectClass: top objectClass: idnsrecord objectClass: idnszone idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOAminimum: 3600 idnsUpdatePolicy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant IDM.LAB.BO S.REDHAT.COM krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP ; idnsSOArefresh: 3600 idnsName: idm.lab.bos.redhat.com idnsAllowDynUpdate: TRUE idnsSOAmName: vm-068.idm.lab.bos.redhat.com. idnsSOArName: hostmaster.idm.lab.bos.redhat.com. idnsAllowQuery: any; idnsSOAexpire: 1209100 <<<<<< idnsSOAserial: 2014032201 <<<<<< # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 # cat /tmp/nsupdate.txt zone idm.lab.bos.redhat.com. update delete vm-068.idm.lab.bos.redhat.com. IN SSHFP send update add vm-068.idm.lab.bos.redhat.com. 1200 IN SSHFP 1 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA update add vm-068.idm.lab.bos.redhat.com. 1200 IN SSHFP 2 1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB send # /usr/bin/kinit -k -t /etc/krb5.keytab host/vm-068.idm.lab.bos.redhat.com # /usr/bin/nsupdate -g /tmp/nsupdate.txt # ldapsearch -h localhost -Y GSSAPI -b idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com -s base # idm.lab.bos.redhat.com, dns, idm.lab.bos.redhat.com dn: idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om idnsZoneActive: TRUE nSRecord: vm-068.idm.lab.bos.redhat.com. objectClass: top objectClass: idnsrecord objectClass: idnszone idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOAminimum: 3600 idnsUpdatePolicy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant IDM.LAB.BO S.REDHAT.COM krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP ; idnsSOArefresh: 3600 idnsName: idm.lab.bos.redhat.com idnsAllowDynUpdate: TRUE idnsSOAmName: vm-068.idm.lab.bos.redhat.com. idnsSOArName: hostmaster.idm.lab.bos.redhat.com. idnsAllowQuery: any; idnsSOAexpire: 1209 <<<<< idnsSOAserial: 2015 <<<<< # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1
LDAP plugin part fixed upstream: https://fedorahosted.org/bind-dyndb-ldap/changeset/709e352e52141eac346139666483b5c5f5acd713 Wrong initial value has to be fixed in IPA.
1. ipa-server-install --setup-dns 2. ipa dnszone-find Zone name: 201.65.10.in-addr.arpa. Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa. SOA serial: 2012270301 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: lab.eng.pnq.redhat.com Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com. SOA serial: 2012270302 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 2 ---------------------------- [root@primenova ~]# cat nsupdate.txt zone lab.eng.pnq.redhat.com. update delete primenova.lab.eng.pnq.redhat.com. IN SSHFP send update add primenova.lab.eng.pnq.redhat.com. 1200 IN SSHFP 1 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA update add primenova.lab.eng.pnq.redhat.com. 1200 IN SSHFP 2 1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB send [root@primenova ~]# [root@primenova ~]# nsupdate -g nsupdate.txt [root@primenova ~]# [root@primenova ~]# ipa dnsrecord-show lab.eng.pnq.redhat.com primenova Record name: primenova A record: 10.65.201.100 SSHFP record: 1 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, 2 1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB [root@primenova ~]# [root@primenova ~]# ipa dnszone-find Zone name: 201.65.10.in-addr.arpa. Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa. SOA serial: 2012270301 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: lab.eng.pnq.redhat.com Authoritative nameserver: primenova.lab.eng.pnq.redhat.com. Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com. SOA serial: 2012270304 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 2 ---------------------------- [root@primenova ~]# Version: ipa-server-2.2.0-5.el6.x86_64 bind-9.8.2-0.6.rc1.el6.x86_64 bind-dyndb-ldap-1.1.0-0.5.b1.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0837.html