Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 869324

Summary: Cache is not flushed after creating a new zone with conditional forwarder
Product: Red Hat Enterprise Linux 6 Reporter: Petr Spacek <pspacek>
Component: bind-dyndb-ldapAssignee: Adam Tkac <atkac>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: dpal, mgregg, ovasik, pspacek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:58:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Spacek 2012-10-23 15:18:43 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/97

First of all, query for some record in non-existent zone:
{{{
$ dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13496
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 7

;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 600 IN	MX	10 mx1.redhat.com.

;; AUTHORITY SECTION:
redhat.com.		600	IN	NS	ns4.redhat.com.
}}}

Now add the conditional forwarder for `idm.lab.bos.redhat.com`:
{{{
$ ipa dnszone-add idm.lab.bos.redhat.com --name-server=vm-061.idm.lab.bos.redhat.com. --admin-email='hostmaster' --force --forwarder=10.16.78.61 --forward-policy=only
}}}

... and repeat the query. It should return existing record `test.idm.lab.bos.redhat.com` but it incorrectly returns cached result:

{{{
$ dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34582
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 7

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	ANY

;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 448 IN	MX	10 mx1.redhat.com.

;; AUTHORITY SECTION:
redhat.com.		448	IN	NS	ns4.redhat.com.
}}}
Comment 3 Michael Gregg 2013-01-22 01:12:21 UTC 
Verified manually, after adding the zone, I get the failed repose I would expect. 

verified against ipa-server-3.0.0-9.el6.x86_64

[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35903
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	ANY

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300

;; Query time: 71 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 21 20:07:26 2013
;; MSG SIZE  rcvd: 120

 
[root@zippyvm11 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm11.testrelm.com. --admin-email='hostmaster' --force --forwarder=10.14.5.226 --forward-policy=only
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm11.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358816934
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM
                      krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.14.5.226
  Forward policy: only
[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Comment 4 Petr Spacek 2013-01-22 07:06:05 UTC 
Sorry, your test found something else and this bug isn't verified.

Please compare "example" output in bug description with your last line:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34582
vs.
;; connection timed out; no servers could be reached

Something went horribly wrong. Could you check /var/log/messages? Did BIND crash?
Comment 5 Michael Gregg 2013-01-23 00:00:28 UTC 
Bind did not crash. 

I believe that there is some confusion about how to reproduce this bug as when I created the zone, I made the forwarded the same server as I created the zone on. 
That shouldn't work. The zone was forwarding to itself. 

I changed the test to better match the problem. In this example I am doing a dig that fails. I create a zone with a forwarder, then on the server that is the forwarder, I create the zone and the required record. The first resolve still fails. 

This appears to be a regression,my version of bind-dyndb-ldap appears high enough:
bind-dyndb-ldap-2.3-1.el6.x86_64

info:

<first, I test the resolve and then create a new zone that forwards to 10.14.5.136(zippyvm4)>

[root@zippyvm11 ~]#  dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8216
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	ANY

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300

;; Query time: 74 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 18:45:49 2013
;; MSG SIZE  rcvd: 120

[root@zippyvm11 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm11.testrelm.com. --admin-email='hostmaster' --force --forwarder=10.14.5.136 --forward-policy=only
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm11.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358898539
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.14.5.136
  Forward policy: only

<Now on zippyvm4, I create the new zone and create the test record>
[root@zippyvm4 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm4.testrelm.com. --admin-email='hostmaster'
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm4.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358898560
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM
                      krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@zippyvm4 ~]# ipa dnsrecord-add idm.lab.bos.redhat.com test --a-rec=4.2.2.2
  Record name: test
  A record: 4.2.2.2

[root@zippyvm4 ~]# dig test.idm.lab.bos.redhat.com @127.0.0.1
;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 86400 IN	A	4.2.2.2

<Finally on zippyvm11 I should be able to dig for test.idm.lab.bos.redhat.com, it still fails>

[root@zippyvm11 ~]#  dig @127.0.0.1 test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42479
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	A

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	3259	IN	SOA	zippyvm4.testrelm.com. hostmaster.ad.lan. 1358898600 3600 900 1209600 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 18:56:12 2013
;; MSG SIZE  rcvd: 116


<Until I restart bind, then it works>

[root@zippyvm11 ~]# /etc/init.d/named restart
Stopping named: .[  OK  ]
Starting named: [  OK  ]
[root@zippyvm11 ~]#  dig @127.0.0.1 test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31921
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	A

;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 86400 IN	A	4.2.2.2

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	86400	IN	NS	zippyvm4.testrelm.com.

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 18:56:37 2013
;; MSG SIZE  rcvd: 93
Comment 6 Petr Spacek 2013-01-23 11:44:17 UTC 
Now the test seems to be correct but the result isn't. I attempted to reproduce this problem myself but it behaves correctly in my test environment.

Please try to query server directly with dig:

Context:
(In reply to comment #5)
> <Now on zippyvm4, I create the new zone and create the test record>
> [root@zippyvm4 ~]# ipa dnszone-add idm.lab.bos.redhat.com
> --name-server=zippyvm4.testrelm.com. --admin-email='hostmaster'
>   Zone name: idm.lab.bos.redhat.com

> [root@zippyvm4 ~]# ipa dnsrecord-add idm.lab.bos.redhat.com test
> --a-rec=4.2.2.2
>   Record name: test
>   A record: 4.2.2.2
> 
> [root@zippyvm4 ~]# dig test.idm.lab.bos.redhat.com @127.0.0.1
> ;; ANSWER SECTION:
> test.idm.lab.bos.redhat.com. 86400 IN	A	4.2.2.2
> 
> <Finally on zippyvm11 I should be able to dig for
> test.idm.lab.bos.redhat.com, it still fails>
> 
> [root@zippyvm11 ~]#  dig @127.0.0.1 test.idm.lab.bos.redhat.com
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1
> test.idm.lab.bos.redhat.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42479
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;test.idm.lab.bos.redhat.com.	IN	A
> 
> ;; AUTHORITY SECTION:
> idm.lab.bos.redhat.com.	3259	IN	SOA	zippyvm4.testrelm.com.
> hostmaster.ad.lan. 1358898600 3600 900 1209600 3600
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jan 22 18:56:12 2013
> ;; MSG SIZE  rcvd: 116

Now please try to query zippyvm4 directly and then through local BIND (i.e. query will be forwarded from local BIND to zippyvm4):
[root@zippyvm11 ~]# dig @10.14.5.136 test.idm.lab.bos.redhat.com
[root@zippyvm11 ~]# dig @127.0.0.1 test.idm.lab.bos.redhat.com

Both results should be equal. If you found some difference, please look in /var/log/messages on both servers and search for errors or warning from BINDs.

If you are able to reproduce the problem, please run following command on both servers *before you start* with the test:
$ tcpdump -s 65535 -i any -w /tmp/tcpdump 'port 53'

Please terminate tcpdump with Ctrl+C after test end and attach files from both machines to this bug.

Thank you!
Comment 7 Michael Gregg 2013-01-23 22:46:41 UTC 
Problem seems to have gone away with upgrading to bind-dyndb-ldap-2.4-0.20130121T1133zgita2ce021.el6.x86_64

The new resolve works after adding the new zone.
Comment 12 Michael Gregg 2013-02-07 01:43:57 UTC 
The test passed when run on a newer version of bind-dyndb-ldap

Starting on blademtv3
[root@blademtv3 ipa-server]# dig @127.0.0.1 test.idm.lab.bos.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49632
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.   IN      A
;; AUTHORITY SECTION:
idm.lab.bos.redhat.com. 60      IN      SOA     ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2013012501 300 1800 604800 300

[root@blademtv3 ipa-server]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=blademtv3.testrelm.com. --admin-email='hostmaster' --force --forwarder=10.14.5.153 --forward-policy=only
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: blademtv3.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1360200994
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.14.5.153
  Forward policy: only

Then, moving to blademtv2:

[root@blademtv2 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=blademtv2.testrelm.com. --admin-email='hostmaster'
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: blademtv2.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1360201027
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@blademtv2 ~]# ipa dnsrecord-add idm.lab.bos.redhat.com test --a-rec=4.2.2.2
  Record name: test
  A record: 4.2.2.2

Testing the result on blademtv3:

[root@blademtv3 ipa-server]# dig @127.0.0.1 test.idm.lab.bos.redhat.com                                                                                                                
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64885
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.   IN      A

;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 86400 IN   A       4.2.2.2



The test is marked as "RELEASE_PENDING", so, I will not change it.
Comment 13 errata-xmlrpc 2013-02-21 08:58:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0359.html