Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 869325

Summary:	Zones with conditional forwarder are not removed properly when persistent search is enabled
Product:	Red Hat Enterprise Linux 6	Reporter:	Petr Spacek <pspacek>
Component:	bind-dyndb-ldap	Assignee:	Adam Tkac <atkac>
Status:	CLOSED ERRATA	QA Contact:	Namita Soman <nsoman>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	6.4	CC:	dpal, mgregg, ovasik, pspacek
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-02-21 08:58:37 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Petr Spacek 2012-10-23 15:19:02 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/96

Conditional forwarder is still active even after zone deletion:

Add forwarder for zone `idm.lab.bos.redhat.com`:
{{{
$ ipa dnszone-add idm.lab.bos.redhat.com --name-server=vm-061.idm.lab.bos.redhat.com. --admin-email='hostmaster' --force --forwarder=10.16.78.61 --forward-policy=only
}}}

{{{
$ dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64187
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 86400 IN	TXT	"666"

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	86400	IN	NS	vm-061.idm.lab.bos.redhat.com.

;; ADDITIONAL SECTION:
vm-061.idm.lab.bos.redhat.com. 1200 IN	A	10.16.78.61
}}}

{{{
$ ipa dnszone-del idm.lab.bos.redhat.com
}}}

Named will log a message if debug level >= 1:
{{{
zone 'idm.lab.bos.redhat.com' not found in zone register
}}}

Zone is still resolvable through the forwarder:
{{{
$ dig @127.0.0.1 -t ANY test2.idm.lab.bos.redhat.com

; <<>> DiG 9.9.1-P3-RedHat-9.9.1-9.P3.fc17 <<>> @127.0.0.1 -t ANY test2.idm.lab.bos.redhat.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14943
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; ANSWER SECTION:
test2.idm.lab.bos.redhat.com. 86400 IN	TXT	"another" "value" "obtained" "from" "forwarder"

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	86190	IN	NS	vm-061.idm.lab.bos.redhat.com.

;; ADDITIONAL SECTION:
vm-061.idm.lab.bos.redhat.com. 990 IN	A	10.16.78.61
}}}

Expected result:
Record test2 should not be resolvable.

Comment 3 Michael Gregg 2013-01-22 01:35:50 UTC

Verified manually, after adding the zone, then checking to ensure that forwarding was enabled, I removed the forwarding zone and retried the query.

verified against ipa-server-3.0.0-9.el6.x86_64

[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300
 
[root@zippyvm11 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm11.testrelm.com. --admin-email='hostmaster' --force --forwarder=10.14.5.226 --forward-policy=only
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm11.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358816934
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM
                      krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.14.5.226
  Forward policy: only
[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39891
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300

Comment 4 Petr Spacek 2013-01-22 07:16:24 UTC

Sorry, your test found something else and this bug isn't verified.

Please compare "example" output in bug description with your first "dig" output:
$ dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64187
vs.
;; connection timed out; no servers could be reached

Something went horribly wrong. Could you check /var/log/messages? Did BIND crash?

You can try to tcpdump connection and check if request really went out to the forwarder:
$ tcpdump -s 65535 -i any 'port 53'

Comment 5 Michael Gregg 2013-01-23 00:23:56 UTC

Bind did not crash. 

I think the problem is that I formed my original test wrong as I was forwarding the zone to the machine that I created the zone on. That shouldn't work. 

I tried it again, and am unable to verify the bug, is this a regression? 

My bind-dyndb-ldap appears new enough at bind-dyndb-ldap-2.3-1.el6.x86_64

<First, I ensure that the resolve fails, then I create a zone on zippyvm11 pointing to zippyvm4(10.14.5.136) as the forwarder>

[root@zippyvm11 ~]#  dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8216
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	ANY

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300

;; Query time: 74 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 18:45:49 2013
;; MSG SIZE  rcvd: 120

[root@zippyvm11 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm11.testrelm.com. --admin-email='hostmaster' --force --forwarder=10.14.5.136 --forward-policy=only
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm11.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358898539
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.14.5.136
  Forward policy: only


< Now, I go create the zone on zippyvm4 and add the needed record to it>


[root@zippyvm4 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm4.testrelm.com. --admin-email='hostmaster'
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm4.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358898560
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM
                      krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@zippyvm4 ~]# ipa dnsrecord-add idm.lab.bos.redhat.com test --a-rec=4.2.2.2
  Record name: test
  A record: 4.2.2.2

<After I test to enzure the record works on zippyvm4, I return to zippyvm11 and try the resolve again, it fails.>

[root@zippyvm11 ~]#  dig @127.0.0.1 test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42479
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	A

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	3259	IN	SOA	zippyvm4.testrelm.com. hostmaster.ad.lan. 1358898600 3600 900 1209600 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 18:56:12 2013
;; MSG SIZE  rcvd: 116


<The resolve works after I restart named, it appears as this bug is still a problem>


[root@zippyvm11 ~]# /etc/init.d/named restart
Stopping named: .[  OK  ]
Starting named: [  OK  ]
[root@zippyvm11 ~]#  dig @127.0.0.1 test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31921
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	A

;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 86400 IN	A	4.2.2.2

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	86400	IN	NS	zippyvm4.testrelm.com.

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 18:56:37 2013
;; MSG SIZE  rcvd: 93

Comment 6 Petr Spacek 2013-01-23 12:11:40 UTC

I re-tested it myself with bind-dyndb-ldap-2.3-2.el6.x86_64 and it works in my test environment.

Steps and expected results:
0) Create one additional record - "test2".
1) After adding a per-zone forwarder you should see "test" record from forwarded zone.
2) Now delete per-zone forwarder.
3) Try to query for record "test2" after per-zone forwarder deletion. You shouldn't be able to resolve record "test2" from forwarded zone.

The test failed if "test2" pops up after per-zone forwarder deletion.

We will continue with investigation if you encounter SERVFAIL or timeout at any moment.

Comment 7 Petr Spacek 2013-01-23 14:45:12 UTC

Note: I found another bug:
https://fedorahosted.org/bind-dyndb-ldap/ticket/105

Cache is not flushed *after deleting* a zone with conditional forwarder. That is the reason why you need to different records "test" and "test2" for each part of the test.

Test described in my previous comment should work as expected.

Comment 8 Michael Gregg 2013-01-23 20:44:45 UTC

First I updated to bind-dyndb-ldap-2.3-2.el6.x86_64

I'll try again.

< First, I will create the zone on zippyvm4 with test and test2 in it. >
[root@zippyvm4 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm4.testrelm.com. --admin-email='hostmaster'
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm4.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358973467
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM
                      krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@zippyvm4 ~]# ipa dnsrecord-add idm.lab.bos.redhat.com test --a-rec=4.2.2.2
  Record name: test
  A record: 4.2.2.2
[root@zippyvm4 ~]# ipa dnsrecord-add idm.lab.bos.redhat.com test2 --a-rec=4.1.1.1
  Record name: test2
  A record: 4.1.1.1

< After that, I'll ensure that test and test2 do not resolve on zippyvm11>

[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3678
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	ANY
;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300

[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test2.idm.lab.bos.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test2.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6384
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test2.idm.lab.bos.redhat.com.	IN	ANY
;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300

<Next I'll create the zone on zippyvm11 that forwards to zippyvm4>

[root@zippyvm11 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm11.testrelm.com. --admin-email='hostmaster' --force --forwarder=10.14.5.136 --forward-policy=only
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm11.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358973618
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.14.5.136
  Forward policy: only

< Now, ensure that test resolves on zippyvm11 >

[root@zippyvm11 ~]# dig @127.0.0.1 test.idm.lab.bos.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9154
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	A
;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 86400 IN	A	4.2.2.2
;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	86400	IN	NS	zippyvm4.testrelm.com.

< That worked. Now, delete the zone on zippyvm11 and ensure that test2 does not resolve.>

[root@zippyvm11 ~]# ipa dnszone-del idm.lab.bos.redhat.com 
[root@zippyvm11 ~]# dig @127.0.0.1 test2.idm.lab.bos.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test2.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7197
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test2.idm.lab.bos.redhat.com.	IN	A
;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300


That all worked as expected. It seems that upgrading to bind-dyndb-ldap-2.3-2.el6.x86_64 was the trick. 

I am satisfied with this bug. I'll move it to "verified" now. Feel free to switch it back to on_qa if the test isn't correct.

Comment 9 Petr Spacek 2013-01-24 14:49:33 UTC

Perfect, thank you!

Comment 10 Petr Spacek 2013-01-29 20:05:34 UTC

Note:
This bug covers only the case where persistent search is enabled.

Upstream ticket for case where persistent search is disabled: https://fedorahosted.org/bind-dyndb-ldap/ticket/106

Comment 12 errata-xmlrpc 2013-02-21 08:58:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0359.html