On Fri, 2013-09-13 at 09:29 +0200, Petr Spacek wrote:
> Hello list,
> 
> Jan Pazdziora <jpazdzi...@redhat.com> proposed that 'ipa dns*' commands 
> should 
> do some sanity checking/waiting after the record is added to LDAP.
> 
> I think that it could be valuable and I would like to get opinions from 
> freeipa-devel list.
> 
> 
> === The problem ===
> ipa dnsrecord-add and similar commands add the data to LDAP, but it doesn't 
> mean that the data are *immediately* resolvable via DNS protocol. Note that 
> data from LDAP are *asynchronously* read and processed by Named and the time 
> when records are available is not predictable.
> 
> A mismatch between LDAP can be caused by some connection problem between DNS 
> and LDAP servers, LDAP or DNS server restart, or simply by a bug in 
> DNS<->LDAP 
> synchronization code. (This is becomming more and more important if we 
> consider the whole DNSSEC effort and related re-factoring.)
> 
> My experience is that users are very confused if the ipa dnsrecord-add 
> command 
> says 'record added' but it is still not available via DNS. It is really hard 
> to debug when you see the problem first 10 times :-)
> 
> 
> === The proposal ===
> 1. Let FreeIPA framework to change DNS data in LDAP as we do now.
> 2. After each change, do DNS queries for changed record and wait until the 
> new 
> data are available.
> 
> IMHO it is very cheap operation (in usual cases 1 DNS packet back and forth) 
> and it would save a lot of headaches to users and support.
> 
> This will naturally catch the case where named crashes after the change etc.
> 
> 
> === Expected outcome ===
> There will not be any failure like this:
> 
> $ ipa-adtrust-install
> 
> $ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN 
> --admin-email="hostmaster@$AD_DOMAIN.com" --force --forwarder=$AD_IP 
> --forward-policy=only --ip-address=$AD_IP
>         Zone name: dom123.example.com
>         [...]
> 
> $ ipa trust-add --type=ad DOM123.EXAMPLE.COM --admin Administrator --password
>       Password for ad...@dom123.example.com:
>       ipa: ERROR: Cannot find specified domain or server name
> 

Would it make sense to change the code to use dynDNS update to add
records ?

Wouldn't that force named to be in sync ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to