RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 847716 - [RFE] The TTL value for FreeIPA dynamic DNS updates should be configurable
Summary: [RFE] The TTL value for FreeIPA dynamic DNS updates should be configurable
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-13 10:49 UTC by James Hogarth
Modified: 2020-05-02 16:57 UTC (History)
5 users (show)

Fixed In Version: sssd-1.10.0-1.el7.alpha1
Doc Type: Enhancement
Doc Text:
Feature: The SSSD has a new option ipa_dyndns_ttl Reason: Previously, the TTL (Time-To-Live) attribute of a DNS record during a DNS dynamic update was hardcoded to 86400 seconds. However, some environments need to set a different value. Result (if any): The DNS records are now added with the TTL value the ipa_dyndns_ttl option sets. The option defaults to 1200 seconds.
Clone Of:
Environment:
Last Closed: 2014-06-13 11:32:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
This is a proposed patch for RHEL6 to bring the TTL of SSSD inline with the TTL set by ipa-client-install. (537 bytes, application/octet-stream)
2012-08-13 10:49 UTC, James Hogarth 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
FedoraHosted SSSD 1476 0 None None None 2012-08-13 10:49:07 UTC
Github SSSD sssd issues 2518 0 None None None 2020-05-02 16:57:19 UTC

Description James Hogarth 2012-08-13 10:49:07 UTC 
Created attachment 603961 [details]
This is a proposed patch for RHEL6 to bring the TTL of SSSD inline with the TTL set by ipa-client-install.

Description of problem:
The TTL on the record added by SSSD is much longer than that put in place by ipa-client-install (86400 seconds instead of 1200).

Version-Release number of selected component (if applicable):
sssd-1.8.0-32.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1) Add a client to IPA including the --enable-dns-updates argument. 
2) Verify that the TTL is 1200 seconds on the record after it has been added as per the value in the ipa-client-install python script. 
3) Arrange for the IP address to change in some way on the client. 
4) Restart the client 
  
Actual results:
TTL of record will be 86400 seconds

Expected results:
TTL of record should be 1200 seconds

Additional info:
Although for most use cases 1 day would be fine for a rapid VM churn environment (eg fresh build host created each time in continuous integration or something similar) this could cause incorrect resolution... and is a confusion for the user given the change from the initial TTL put in place... in addition a systems administrator could not override this since the record is deleted and added by SSSD and as a consequence ipa dnsrecord-mod would only have an effect until update and not maintain the TTL afterwards...
Comment 2 Stephen Gallagher 2012-08-13 11:24:01 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1476
Comment 5 Stephen Gallagher 2012-08-13 12:34:18 UTC 
Devel and Quality Engineering have reviewed this request and determined that it will be best solved by a more complete solution in a later release. We would rather see the value be configurable, rather than adjusting it to a different hard-coded value.
Comment 9 Jenny Severance 2013-03-26 16:03:16 UTC 
Please provide implementation details and use cases for this new configuration option.
Comment 10 Jakub Hrozek 2013-03-26 18:19:45 UTC 
(In reply to comment #9)
> Please provide implementation details and use cases for this new
> configuration option.

Set the ipa_dyndns_ttl option to a value in seconds. Update the client's addres using the dyndns functionality. Then view the DNS record on the server, in particular its TTL value. It should match the one provided with the config option.
Comment 11 Jakub Hrozek 2013-03-26 18:30:23 UTC 
Not sure what implementation details you are looking for, but there is nothing user visible apart from the single option.

Internally, what the option does is that its value is used as the TTL instead of the previously hardcoded value of 86400 seconds.
Comment 12 James Hogarth 2013-03-26 18:39:57 UTC 
As the guy that originally reported this and wrote the patch ;-) 

Use case:
Hostname that changes IP more frequently than once per day... This could be a test VM being rebuilt (which is where I encountered this) or a laptop user moving between subnets.

How to use:
Set the option as mentioned above and as detailed in --help and the man page.

There was a corresponding patch to ipa-client-install on the freeipa-client side to configure this option on install but I don't think it was ever committed... It might be worth checking to avoid the edge case of the initial DNS update by ipa-client-install setting the TTL high (if memory serves though it was only something like 1200 seconds).

However that has no impact on the functionality of this in sssd 1.10
Comment 13 Jakub Hrozek 2013-03-26 18:57:39 UTC 
Thanks for the details, James, that's going to help our QE test the feature!
Comment 14 James Hogarth 2013-03-26 19:24:01 UTC 
No problem... Apologies in not having more detail but I'm in a restaurant right now..

As one note though it's best to test the feature either looking straight at the IPA server with a utility like dig or to watch the 'fail' event the old host record still needs to be in a DNS cache somewhere on or between the system being used for the DNS query and the IPA server...

If there's any additional information useful I'll be able to respond tomorrow or Thursday.
Comment 15 Jenny Severance 2013-03-26 19:24:34 UTC 
Thank you James!
Comment 16 Jakub Hrozek 2013-10-04 13:24:18 UTC 
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 18 Kaleem 2014-01-27 13:29:38 UTC 
Verified.

IPA version:
============
------------[RPMs & OS: [RedHat - x86_64]---------
|       ipa-client-3.3.3-15.el7.x86_64
|       sssd-1.11.2-19.el7.x86_64
--------------------------------------------------

Snippet from automation log:
===========================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipaclientinstall_bug_847716 The TTL value for FreeIPA dynamic DNS updates should be configurable bz847716
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: uninstall_fornexttest starts
:: [   LOG    ] :: sssd.conf for testing BZ 819982 does not exists
:: [   LOG    ] :: checking for '^nameserver 10.16.46.51' in /etc/resolv.conf
:: [   PASS   ] :: Running 'ssh root.46.51 "echo Secret123|kinit admin;ipa host-del amd-pike-05.testrelm.com"' (Expected 0,1,2, got 0)
:: [   PASS   ] :: Running 'sleep 60' (Expected 0, got 0)
:: [   LOG    ] :: uninstall_fornexttest ends
:: [   LOG    ] :: EXECUTING: ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM -p admin -w Secret123 --unattended --server=hp-dl380pgen8-02-vm-2.testrelm.com --enable-dns-updates --mkhomedir
:: [   PASS   ] :: Installing ipa client and configuring - with all params (Expected 0, got 0)
:: [   LOG    ] :: execute expect file: /tmp/kinit.10792.exp
:: [   LOG    ] :: Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
:: [   PASS   ] :: Capturing TTL value (Expected 0, got 0)
:: [   PASS   ] :: Running 'cat /tmp/bz847716.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain 'Time to live: 1200' 
:: [   PASS   ] :: Assigning em1:0 with ip 192.168.0.1 (Expected 0, got 0)
:: [   PASS   ] :: Capturning ifconfig output (Expected 0, got 0)
:: [   PASS   ] :: Running 'cat /tmp/bz847716.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain 'em1:0' 
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain '192.168.0.1' 
:: [   PASS   ] :: Running 'sed '/cache_credentials/ a debug_level = 0x200' /etc/sssd/sssd.conf > /tmp/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Running 'cp /tmp/sssd.conf /etc/sssd/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Running 'sed '/ipa_dyndns_update/ a ipa_dyndns_iface = em1:0' /etc/sssd/sssd.conf > /tmp/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Running 'cp /tmp/sssd.conf /etc/sssd/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Running 'cat /etc/sssd/sssd.conf' (Expected 0, got 0)
:: [   PASS   ] :: Capturing TTL value after ip change (Expected 0, got 0)
:: [   PASS   ] :: Running 'cat /tmp/bz847716.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain 'Time to live: 1200' 
:: [   PASS   ] :: File '/tmp/bz847716.txt' should contain '192.168.0.1' 
:: [   PASS   ] :: Running 'rm -rf /tmp/bz847716.txt' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1m 17s
:: [   LOG    ] :: Assertions: 22 good, 0 bad
:: [   PASS   ] :: RESULT: ipaclientinstall_bug_847716 The TTL value for FreeIPA dynamic DNS updates should be configurable bz847716
Comment 19 Ludek Smid 2014-06-13 11:32:29 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.