On 09/13/2013 06:17 PM, Simo Sorce wrote: > On Fri, 2013-09-13 at 09:29 +0200, Petr Spacek wrote: >> Hello list, >> >> Jan Pazdziora <jpazdzi...@redhat.com> proposed that 'ipa dns*' commands >> should >> do some sanity checking/waiting after the record is added to LDAP. >> >> I think that it could be valuable and I would like to get opinions from >> freeipa-devel list. >> >> >> === The problem === >> ipa dnsrecord-add and similar commands add the data to LDAP, but it doesn't >> mean that the data are *immediately* resolvable via DNS protocol. Note that >> data from LDAP are *asynchronously* read and processed by Named and the time >> when records are available is not predictable. >> >> A mismatch between LDAP can be caused by some connection problem between DNS >> and LDAP servers, LDAP or DNS server restart, or simply by a bug in >> DNS<->LDAP >> synchronization code. (This is becomming more and more important if we >> consider the whole DNSSEC effort and related re-factoring.) >> >> My experience is that users are very confused if the ipa dnsrecord-add >> command >> says 'record added' but it is still not available via DNS. It is really hard >> to debug when you see the problem first 10 times :-) >> >> >> === The proposal === >> 1. Let FreeIPA framework to change DNS data in LDAP as we do now. >> 2. After each change, do DNS queries for changed record and wait until the >> new >> data are available. >> >> IMHO it is very cheap operation (in usual cases 1 DNS packet back and forth) >> and it would save a lot of headaches to users and support. >> >> This will naturally catch the case where named crashes after the change etc. >> >> >> === Expected outcome === >> There will not be any failure like this: >> >> $ ipa-adtrust-install >> >> $ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN >> --admin-email="hostmaster@$AD_DOMAIN.com" --force --forwarder=$AD_IP >> --forward-policy=only --ip-address=$AD_IP >> Zone name: dom123.example.com >> [...] >> >> $ ipa trust-add --type=ad DOM123.EXAMPLE.COM --admin Administrator --password >> Password for ad...@dom123.example.com: >> ipa: ERROR: Cannot find specified domain or server name >> > > Would it make sense to change the code to use dynDNS update to add > records ? > > Wouldn't that force named to be in sync ? > > Simo.
Switching from LDAP modify operation to dynDNS update seems as a too big change to me. If nothing else, it would not fly with our LDAP ACI/permission system and ability to delegate DNS read/write rights to somebody else. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel