RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 893571 - Invalid zone is not reloaded after a record change
Summary: Invalid zone is not reloaded after a record change
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind-dyndb-ldap
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Petr Spacek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-09 13:38 UTC by Petr Spacek
Modified: 2015-01-21 15:40 UTC (History)
5 users (show)

Fixed In Version: bind-dyndb-ldap-3.5-1.el7
Doc Type: Known Issue
Doc Text:
IPA creates a new DNS zone in two separate steps. When the new zone is created, it is invalid for a short period of time. A/AAAA records for the name server belonging to the new zone are created after this delay. Sometimes, BIND attempts to load this invalid zone and fails. In such a case, reload BIND by running either rndc reload or service named restart.
Clone Of:
Environment:
Last Closed: 2014-06-13 12:01:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Petr Spacek 2013-01-09 13:38:22 UTC 
Description of problem:

1) IPA user is adding a new zone with relative nameserver name:
$ ipa dnszone-add example.test --name-server=ns --ip-address=127.0.0.1 --admin-email=admin.test

Zone is successfully created in LDAP.


2) BIND logs some errors:

named[2310]: zone example.test/IN: NS 'ns.example.test' has no address records (A or AAAA)
named[2310]: zone example.test/IN: not loaded due to errors.
named[2310]: update_zone (psearch) failed for 'idnsname=example.test,cn=dns,dc=example,dc=com'. Zones can be outdated, run `rndc reload`: bad zone
named[2310]: SOA serial number incrementation failed in zone 'idnsname=example.test,cn=dns,dc=example,dc=com'
named[2310]: update_record (psearch) failed, dn 'idnsname=ns,idnsname=example.test,cn=dns,dc=example,dc=com' change type 0x1. Records can be outdated, run `rndc reload`: zone not loaded


3) The new zone is not functional:
$ dig @127.0.0.1 -t ANY example.test.
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 59367


4) Changing some record doesn't help:
$ ipa dnsrecord-add example.test newrec --txt-rec="string"
  Record name: newrec
  TXT record: string

$ sudo tail /var/log/messages
named[2310]: SOA serial number incrementation failed in zone 'idnsname=example.test,cn=dns,dc=example,dc=com'
named[2310]: update_record (psearch) failed, dn 'idnsname=newrec,idnsname=example.test,cn=dns,dc=example,dc=com' change type 0x1. Records can be outdated, run `rndc reload`: zone not loaded


5) BIND reload helps:
$ sudo rndc reload
server reload successful

$ dig @127.0.0.1 -t ANY example.test.
;; ->>HEADER<<- opcode: QUERY, status: *NOERROR*, id: 45274


Version-Release number of selected component (if applicable):
bind-dyndb-ldap-2.3-1.el6.x86_64
ipa-server-3.0.0-19.el6.x86_64
ipa-admintools-3.0.0-19.el6.x86_64


How reproducible:
Fine on vm-115, but it is a race condition...


Steps to Reproduce:
above


Actual results:
The new zone return SERVFAIL.


Expected results:
The new zone is functional.
Comment 2 Petr Spacek 2013-01-09 15:58:33 UTC 
Upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/102
Comment 3 RHEL Program Management 2013-01-13 06:47:31 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 Adam Tkac 2013-01-14 14:22:25 UTC 
Final patch is available on https://www.redhat.com/archives/freeipa-devel/2013-January/msg00070.html
Comment 5 Adam Tkac 2013-01-14 14:52:57 UTC 
(In reply to comment #4)
> Final patch is available on
> https://www.redhat.com/archives/freeipa-devel/2013-January/msg00070.html

Uh, wrong comment, this is patch for bug #895083
Comment 8 Petr Spacek 2013-03-25 15:41:51 UTC 
Previous fix was incomplete, it should be completely fixed in upstream by commit 1c6373b2f8952b76cb8b93ed8cba8d444d129049.
Comment 11 Petr Spacek 2013-04-10 08:33:13 UTC 
For record, there is how test should look like:

The goal it to ensure that a invalid zone is automatically reloaded if the problem is fixed by administrator.

This is important because IPA dnszone-add creates invalid zones for short period of time, so 'invalid' zone can exist even after proper ipa dnszone-add command. Without this patch or reload the zone can be non-functional even after correct dnszone-add command.

1) Create invalid zone, e.g. zone without IP address for name in zone's NS record.
2) Add some TXT record to the zone.
3) Dig TXT record - it should return SERVFAIL, because zone is invalid.
4) Add some ip address to the name associated with NS record.
5) Dig TXT record again - it should return proper content.


Output from my machine:
# ipa dnszone-add example.com. --admin-email=hostmaster.example.com. --name-server=ns.example.com. --force
  Zone name: example.com.
  Authoritative nameserver: ns.example.com.


# ipa dnsrecord-add example.com. test --txt-rec="hello"
  Record name: test
  TXT record: hello


# dig @127.0.0.1 test.example.com. -t TXT
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50615
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;test.example.com.		IN	TXT


# ipa dnsrecord-add example.com. ns --a-rec=127.0.0.1
  Record name: ns
  A record: 127.0.0.1


# dig @127.0.0.1 test.example.com. -t TXT
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10395

;; QUESTION SECTION:
;test.example.com.		IN	TXT

;; ANSWER SECTION:
test.example.com.	86400	IN	TXT	"hello"

;; AUTHORITY SECTION:
example.com.		86400	IN	NS	ns.example.com.

;; ADDITIONAL SECTION:
ns.example.com.		86400	IN	A	127.0.0.1
Comment 14 Xiyang Dong 2014-01-15 15:25:11 UTC 
Verified on :
ipa-server-3.3.3-6.el7.x86_64
bind-dyndb-ldap-3.5-2.el7.x86_64

[root@70master ipa-ctl]# echo ""|ipa dnszone-add example.com. --admin-email=hostmaster.example.com. --name-server=ns.example.com. --force
Nameserver IP address:   Zone name: example.com.
  Authoritative nameserver: ns.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1389799430
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self *
                      SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@70master ipa-ctl]# ipa dnsrecord-add example.com. test --txt-rec="hello"
  Record name: test
  TXT record: hello
[root@70master ipa-ctl]# dig @127.0.0.1 test.example.com. -t TXT

; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> @127.0.0.1 test.example.com. -t TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18754
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.example.com.		IN	TXT

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 15 10:24:33 EST 2014
;; MSG SIZE  rcvd: 45

[root@70master ipa-ctl]# ipa dnsrecord-add example.com. ns --a-rec=127.0.0.1
  Record name: ns
  A record: 127.0.0.1
[root@70master ipa-ctl]# dig @127.0.0.1 test.example.com. -t TXT

; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> @127.0.0.1 test.example.com. -t TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60922
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.example.com.		IN	TXT

;; ANSWER SECTION:
test.example.com.	86400	IN	TXT	"hello"

;; AUTHORITY SECTION:
example.com.		86400	IN	NS	ns.example.com.

;; ADDITIONAL SECTION:
ns.example.com.		86400	IN	A	127.0.0.1

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 15 10:24:50 EST 2014
;; MSG SIZE  rcvd: 96

The invalid zone is automatically reloaded
Comment 15 Ludek Smid 2014-06-13 12:01:16 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.