Bug 869325 - Zones with conditional forwarder are not removed properly when persistent search is enabled
Zones with conditional forwarder are not removed properly when persistent sea...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap (Show other bugs)
6.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Adam Tkac
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-23 11:19 EDT by Petr Spacek
Modified: 2013-04-30 19:52 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:58:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Spacek 2012-10-23 11:19:02 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/96

Conditional forwarder is still active even after zone deletion:

Add forwarder for zone `idm.lab.bos.redhat.com`:
{{{
$ ipa dnszone-add idm.lab.bos.redhat.com --name-server=vm-061.idm.lab.bos.redhat.com. --admin-email='hostmaster@ad.lan' --force --forwarder=10.16.78.61 --forward-policy=only
}}}

{{{
$ dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64187
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 86400 IN	TXT	"666"

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	86400	IN	NS	vm-061.idm.lab.bos.redhat.com.

;; ADDITIONAL SECTION:
vm-061.idm.lab.bos.redhat.com. 1200 IN	A	10.16.78.61
}}}

{{{
$ ipa dnszone-del idm.lab.bos.redhat.com
}}}

Named will log a message if debug level >= 1:
{{{
zone 'idm.lab.bos.redhat.com' not found in zone register
}}}

Zone is still resolvable through the forwarder:
{{{
$ dig @127.0.0.1 -t ANY test2.idm.lab.bos.redhat.com

; <<>> DiG 9.9.1-P3-RedHat-9.9.1-9.P3.fc17 <<>> @127.0.0.1 -t ANY test2.idm.lab.bos.redhat.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14943
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; ANSWER SECTION:
test2.idm.lab.bos.redhat.com. 86400 IN	TXT	"another" "value" "obtained" "from" "forwarder"

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	86190	IN	NS	vm-061.idm.lab.bos.redhat.com.

;; ADDITIONAL SECTION:
vm-061.idm.lab.bos.redhat.com. 990 IN	A	10.16.78.61
}}}

Expected result:
Record test2 should not be resolvable.
Comment 3 Michael Gregg 2013-01-21 20:35:50 EST
Verified manually, after adding the zone, then checking to ensure that forwarding was enabled, I removed the forwarding zone and retried the query.

verified against ipa-server-3.0.0-9.el6.x86_64

[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300
 
[root@zippyvm11 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm11.testrelm.com. --admin-email='hostmaster@ad.lan' --force --forwarder=10.14.5.226 --forward-policy=only
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm11.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358816934
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM
                      krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.14.5.226
  Forward policy: only
[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39891
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300
Comment 4 Petr Spacek 2013-01-22 02:16:24 EST
Sorry, your test found something else and this bug isn't verified.

Please compare "example" output in bug description with your first "dig" output:
$ dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64187
vs.
;; connection timed out; no servers could be reached

Something went horribly wrong. Could you check /var/log/messages? Did BIND crash?

You can try to tcpdump connection and check if request really went out to the forwarder:
$ tcpdump -s 65535 -i any 'port 53'
Comment 5 Michael Gregg 2013-01-22 19:23:56 EST
Bind did not crash. 

I think the problem is that I formed my original test wrong as I was forwarding the zone to the machine that I created the zone on. That shouldn't work. 

I tried it again, and am unable to verify the bug, is this a regression? 

My bind-dyndb-ldap appears new enough at bind-dyndb-ldap-2.3-1.el6.x86_64

<First, I ensure that the resolve fails, then I create a zone on zippyvm11 pointing to zippyvm4(10.14.5.136) as the forwarder>

[root@zippyvm11 ~]#  dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8216
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	ANY

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300

;; Query time: 74 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 18:45:49 2013
;; MSG SIZE  rcvd: 120

[root@zippyvm11 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm11.testrelm.com. --admin-email='hostmaster@ad.lan' --force --forwarder=10.14.5.136 --forward-policy=only
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm11.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358898539
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.14.5.136
  Forward policy: only


< Now, I go create the zone on zippyvm4 and add the needed record to it>


[root@zippyvm4 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm4.testrelm.com. --admin-email='hostmaster@ad.lan'
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm4.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358898560
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM
                      krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@zippyvm4 ~]# ipa dnsrecord-add idm.lab.bos.redhat.com test --a-rec=4.2.2.2
  Record name: test
  A record: 4.2.2.2

<After I test to enzure the record works on zippyvm4, I return to zippyvm11 and try the resolve again, it fails.>

[root@zippyvm11 ~]#  dig @127.0.0.1 test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42479
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	A

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	3259	IN	SOA	zippyvm4.testrelm.com. hostmaster.ad.lan. 1358898600 3600 900 1209600 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 18:56:12 2013
;; MSG SIZE  rcvd: 116


<The resolve works after I restart named, it appears as this bug is still a problem>


[root@zippyvm11 ~]# /etc/init.d/named restart
Stopping named: .[  OK  ]
Starting named: [  OK  ]
[root@zippyvm11 ~]#  dig @127.0.0.1 test.idm.lab.bos.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31921
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	A

;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 86400 IN	A	4.2.2.2

;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	86400	IN	NS	zippyvm4.testrelm.com.

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 18:56:37 2013
;; MSG SIZE  rcvd: 93
Comment 6 Petr Spacek 2013-01-23 07:11:40 EST
I re-tested it myself with bind-dyndb-ldap-2.3-2.el6.x86_64 and it works in my test environment.

Steps and expected results:
0) Create one additional record - "test2".
1) After adding a per-zone forwarder you should see "test" record from forwarded zone.
2) Now delete per-zone forwarder.
3) Try to query for record "test2" after per-zone forwarder deletion. You shouldn't be able to resolve record "test2" from forwarded zone.

The test failed if "test2" pops up after per-zone forwarder deletion.

We will continue with investigation if you encounter SERVFAIL or timeout at any moment.
Comment 7 Petr Spacek 2013-01-23 09:45:12 EST
Note: I found another bug:
https://fedorahosted.org/bind-dyndb-ldap/ticket/105

Cache is not flushed *after deleting* a zone with conditional forwarder. That is the reason why you need to different records "test" and "test2" for each part of the test.

Test described in my previous comment should work as expected.
Comment 8 Michael Gregg 2013-01-23 15:44:45 EST
First I updated to bind-dyndb-ldap-2.3-2.el6.x86_64

I'll try again.

< First, I will create the zone on zippyvm4 with test and test2 in it. >
[root@zippyvm4 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm4.testrelm.com. --admin-email='hostmaster@ad.lan'
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm4.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358973467
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM
                      krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@zippyvm4 ~]# ipa dnsrecord-add idm.lab.bos.redhat.com test --a-rec=4.2.2.2
  Record name: test
  A record: 4.2.2.2
[root@zippyvm4 ~]# ipa dnsrecord-add idm.lab.bos.redhat.com test2 --a-rec=4.1.1.1
  Record name: test2
  A record: 4.1.1.1

< After that, I'll ensure that test and test2 do not resolve on zippyvm11>

[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3678
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	ANY
;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300

[root@zippyvm11 ~]# dig @127.0.0.1 -t ANY test2.idm.lab.bos.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 -t ANY test2.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6384
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test2.idm.lab.bos.redhat.com.	IN	ANY
;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300

<Next I'll create the zone on zippyvm11 that forwards to zippyvm4>

[root@zippyvm11 ~]# ipa dnszone-add idm.lab.bos.redhat.com --name-server=zippyvm11.testrelm.com. --admin-email='hostmaster@ad.lan' --force --forwarder=10.14.5.136 --forward-policy=only
  Zone name: idm.lab.bos.redhat.com
  Authoritative nameserver: zippyvm11.testrelm.com.
  Administrator e-mail address: hostmaster.ad.lan.
  SOA serial: 1358973618
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 10.14.5.136
  Forward policy: only

< Now, ensure that test resolves on zippyvm11 >

[root@zippyvm11 ~]# dig @127.0.0.1 test.idm.lab.bos.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9154
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.idm.lab.bos.redhat.com.	IN	A
;; ANSWER SECTION:
test.idm.lab.bos.redhat.com. 86400 IN	A	4.2.2.2
;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	86400	IN	NS	zippyvm4.testrelm.com.

< That worked. Now, delete the zone on zippyvm11 and ensure that test2 does not resolve.>

[root@zippyvm11 ~]# ipa dnszone-del idm.lab.bos.redhat.com 
[root@zippyvm11 ~]# dig @127.0.0.1 test2.idm.lab.bos.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> @127.0.0.1 test2.idm.lab.bos.redhat.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7197
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test2.idm.lab.bos.redhat.com.	IN	A
;; AUTHORITY SECTION:
idm.lab.bos.redhat.com.	60	IN	SOA	ns01.intranet.prod.int.phx2.redhat.com. hostmaster.redhat.com. 2012122000 300 1800 604800 300


That all worked as expected. It seems that upgrading to bind-dyndb-ldap-2.3-2.el6.x86_64 was the trick. 

I am satisfied with this bug. I'll move it to "verified" now. Feel free to switch it back to on_qa if the test isn't correct.
Comment 9 Petr Spacek 2013-01-24 09:49:33 EST
Perfect, thank you!
Comment 10 Petr Spacek 2013-01-29 15:05:34 EST
Note:
This bug covers only the case where persistent search is enabled.

Upstream ticket for case where persistent search is disabled: https://fedorahosted.org/bind-dyndb-ldap/ticket/106
Comment 12 errata-xmlrpc 2013-02-21 03:58:37 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0359.html

Note You need to log in before you can comment on or make changes to this bug.