Bug 805871 - Incorrect SOA serial number set for forward zone during ipa-server installation.
Summary: Incorrect SOA serial number set for forward zone during ipa-server installation.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Adam Tkac
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-22 10:14 UTC by Gowrishankar Rajaiyan
Modified: 2015-05-20 15:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 13:52:41 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0837 normal SHIPPED_LIVE bind-dyndb-ldap bug fix and enhancement update 2012-06-19 20:49:06 UTC

Internal Links: 766233

Description Gowrishankar Rajaiyan 2012-03-22 10:14:26 UTC
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-5.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. ipa-server-install --setup-dns
2. ipa dnszone-find

Actual results: 
"SOA serial" for forward zone has just "YYYY".

[root@primenova ~]# ipa dnszone-find
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa.
  SOA serial: 2012220301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012         <<<<<<<<<<<<<<<
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------
[root@primenova ~]# 


Expected results:
SOA serial for forward zone after installation should be of the format "YYYMMDDnn".

Additional info:
This is not seen for any new zone created thereafter.

[root@primenova ~]# ipa dnszone-find 
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa.
  SOA serial: 2012220301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: example.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 2012220301       <<<<<<<<<<<<<<
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012          <<<<<<<<<<<<<<<<<
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 3
----------------------------
[root@primenova ~]#

Comment 1 Martin Kosek 2012-03-22 10:31:18 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2573

Comment 3 Gowrishankar Rajaiyan 2012-03-22 11:42:52 UTC
Just observed that "SOA expire" value is trimmed as well.

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012          <<<<<<<<<<<<<<<<<
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209          <<<<<<<<<<<<<<<<<
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

Comment 4 Martin Kosek 2012-03-22 13:50:12 UTC
I found out that this is not really an issue in IPA, it created the forward zone correctly but it got changed by nsupdate/bind-dyndb-ldap backend which is run as a part of ipa-client-install. This can be easily reproduced this way:

# ldapsearch -h localhost -Y GSSAPI -b idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com -s base

# idm.lab.bos.redhat.com, dns, idm.lab.bos.redhat.com
dn: idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
 om
idnsZoneActive: TRUE
nSRecord: vm-068.idm.lab.bos.redhat.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant IDM.LAB.BO
 S.REDHAT.COM krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP
 ;
idnsSOArefresh: 3600
idnsName: idm.lab.bos.redhat.com
idnsAllowDynUpdate: TRUE
idnsSOAmName: vm-068.idm.lab.bos.redhat.com.
idnsSOArName: hostmaster.idm.lab.bos.redhat.com.
idnsAllowQuery: any;
idnsSOAexpire: 1209100       <<<<<<
idnsSOAserial: 2014032201    <<<<<<

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

# cat /tmp/nsupdate.txt 
zone idm.lab.bos.redhat.com.
update delete vm-068.idm.lab.bos.redhat.com. IN SSHFP
send
update add vm-068.idm.lab.bos.redhat.com. 1200 IN SSHFP 1 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
update add vm-068.idm.lab.bos.redhat.com. 1200 IN SSHFP 2 1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
send

# /usr/bin/kinit -k -t /etc/krb5.keytab host/vm-068.idm.lab.bos.redhat.com

# /usr/bin/nsupdate -g /tmp/nsupdate.txt

# ldapsearch -h localhost -Y GSSAPI -b idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com -s base

# idm.lab.bos.redhat.com, dns, idm.lab.bos.redhat.com
dn: idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
 om
idnsZoneActive: TRUE
nSRecord: vm-068.idm.lab.bos.redhat.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant IDM.LAB.BO
 S.REDHAT.COM krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP
 ;
idnsSOArefresh: 3600
idnsName: idm.lab.bos.redhat.com
idnsAllowDynUpdate: TRUE
idnsSOAmName: vm-068.idm.lab.bos.redhat.com.
idnsSOArName: hostmaster.idm.lab.bos.redhat.com.
idnsAllowQuery: any;
idnsSOAexpire: 1209    <<<<<
idnsSOAserial: 2015    <<<<<

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

Comment 6 Petr Spacek 2012-03-23 12:20:38 UTC
LDAP plugin part fixed upstream:
https://fedorahosted.org/bind-dyndb-ldap/changeset/709e352e52141eac346139666483b5c5f5acd713

Wrong initial value has to be fixed in IPA.

Comment 9 Gowrishankar Rajaiyan 2012-03-27 10:11:40 UTC
1. ipa-server-install --setup-dns
2. ipa dnszone-find
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa.
  SOA serial: 2012270301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012270302
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

[root@primenova ~]# cat nsupdate.txt 
zone lab.eng.pnq.redhat.com.
update delete primenova.lab.eng.pnq.redhat.com. IN SSHFP
send
update add primenova.lab.eng.pnq.redhat.com. 1200 IN SSHFP 1 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
update add primenova.lab.eng.pnq.redhat.com. 1200 IN SSHFP 2 1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
send
[root@primenova ~]# 

[root@primenova ~]# nsupdate -g nsupdate.txt 
[root@primenova ~]#

[root@primenova ~]# ipa dnsrecord-show lab.eng.pnq.redhat.com primenova
  Record name: primenova
  A record: 10.65.201.100
  SSHFP record: 1 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, 2 1 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
[root@primenova ~]# 


[root@primenova ~]# ipa dnszone-find
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.201.65.10.in-addr.arpa.
  SOA serial: 2012270301
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: lab.eng.pnq.redhat.com
  Authoritative nameserver: primenova.lab.eng.pnq.redhat.com.
  Administrator e-mail address: hostmaster.lab.eng.pnq.redhat.com.
  SOA serial: 2012270304
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------
[root@primenova ~]# 

Version:
ipa-server-2.2.0-5.el6.x86_64
bind-9.8.2-0.6.rc1.el6.x86_64
bind-dyndb-ldap-1.1.0-0.5.b1.el6.x86_64

Comment 11 errata-xmlrpc 2012-06-20 13:52:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0837.html


Note You need to log in before you can comment on or make changes to this bug.