On (15/01/15 20:38), Martin Basti wrote:
>On 15/01/15 20:24, Martin Basti wrote:
>>On 15/01/15 17:13, David Kupka wrote:
>>>On 01/15/2015 03:22 PM, David Kupka wrote:
>>>>On 01/15/2015 12:43 PM, David Kupka wrote:
>>>>>On 01/12/2015 06:34 PM, Martin Basti wrote:
>>>>>>On 09/01/15 14:43, David Kupka wrote:
>>>>>>>On 01/07/2015 04:15 PM, Martin Basti wrote:
>>>>>>>>On 07/01/15 12:27, David Kupka wrote:
>>>>>>>>Thank you for patch:
>>>>>>>>-        root_logger.error("Cannot update DNS records! "
>>>>>>>>-                          "Failed to connect to server '%s'.",
>>>>>>>>+        ips = get_local_ipaddresses()
>>>>>>>>+    except CalledProcessError as e:
>>>>>>>>+        root_logger.error("Cannot update DNS records. %s" % e)
>>>>>>>>IMO the error message should be more specific,  add there something
>>>>>>>>"Unable to get local IP addresses". at least in log.debug()
>>>>>>>>+    lines = ipresult[0].replace('\\', '').split('\n')
>>>>>>>>.replace() is not needed
>>>>>>>>+    if len(ips) == 0:
>>>>>>>>if not ips:
>>>>>>>>is more pythonic by PEP8
>>>>>>>Thanks for catching these. Updated patch attached.
>>>>>>merciful NACK
>>>>>>Thank you for the patch, unfortunately I hit one issue which needs
>>>>>>to be
>>>>>>If "sync PTR" is activated in zone settings, and reverse zone doesn't
>>>>>>exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print
>>>>>>Error message, 'DNS update failed'. In fact, all A/AAAA records was
>>>>>>succesfully updated, only PTR records failed.
>>>>>>Bind log:
>>>>>>named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at
>>>>>>'vm-101.example.com' AAAA
>>>>>>named-pkcs11[28652]: PTR record synchronization (addition) for A/AAAA
>>>>>>'vm-101.example.com.' refused: unable to find active reverse zone
>>>>>>for IP
>>>>>>address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found
>>>>>>With IPv6 we have several addresses from different reverse zones and
>>>>>>this situation may happen often.
>>>>>>I suggest following:
>>>>>>1) Print list of addresses which will be updated. (Now if update
>>>>>>user needs to read log, which addresses installer tried to update)
>>>>>>2) Split nsupdates per A/AAAA record.
>>>>>>3a) If failed, check with DNS query if A/AAAA and PTR record are
>>>>>>and print proper error message
>>>>>>3b) Just print A/AAAA (or PTR) record may not be updated for
>>>>>>IP address.
>>>>>>Any other suggestions are welcome.
>>>>>After long discussion with DNS and UX guru I've implemented it this
>>>>>1. Call nsupdate only once with all updates.
>>>>>2. Verify that the expected records are resolvable.
>>>>>3. If no print list of missing A/AAAA, list of missing PTR records and
>>>>>list to mismatched PTR record.
>>>>>As this is running inside client we can't much more and it's up to
>>>>>to check what's rotten in his DNS setup.
>>>>>Updated patch attached.
>>>>>Freeipa-devel mailing list
>>>>One more change to behave well in -crazy- exotic environments that
>>>>resolves more PTR records for single IP.
>>>>Freeipa-devel mailing list
>>>Yet another change to make language nerds and our UX guru happy :-)
>>Sorry, but NACK.
>>1) BIND/dyndb-ldap bug? (if sync_ptr is enabled)
>>+        try:
>>+            answers = dns.resolver.query(fqdn, record_type)
>>+        except dns.resolver.NoAnswer:
>>+            if record_type == dns.rdatatype.A:
>>+                root_logger.debug('No A record for %s' % fqdn)
>>+            elif record_type == dns.rdatatype.AAAA:
>>+                root_logger.debug('No AAAA record for %s' % fqdn)
>>+        except dns.exception.DNSException as e:
>>+            root_logger.debug('DNS resolver error: ' % e)
>>+        else:
>>+            for rdata in answers:
>>+                try:
>>+                    missing_ips.remove(rdata.address)
>>+                except ValueError:
>>+                    extra_ips.append(rdata.address)
>>This somehow doesn't work, for missing A/AAAA records (4 A/AAAA records
>>$host `hostname`
>>vm-024.example.com has address
>>vm-024.example.com has IPv6 address fed0:babe:baab:0:21a:4aff:fe10:4e37
>>But I get *no warning*.
>>== Why ==
>>Probably bug in BIND, all AAAA/A records *exists for several seconds*, then
>>bind remove all A/AAAA records without PTR record.
>>(Needs more investigation, maybe it is dependent on bind version, in
>>previous testing, the A/AAAA records stay untouched )
>>This it the older journal from the *same machine* with same packages, where
>>record without PTR haven't been deleted after few seconds
>>EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at
>>'vm-101.example.com' A
>>EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at
>>'vm-101.example.com' AAAA
>>EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at
>>'vm-101.example.com' A
>>EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at
>>'vm-101.example.com' AAAA
>>vm-101.example.com.' refused: unable to find active reverse zone for IP
>>address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found
>>EXAMPLE.COM: updating zone 'idm.example.com/IN': adding an RR at
>>'vm-101.example.com' AAAA
>>vm-101.example.com.' refused: unable to find active reverse zone for IP
>>address 'fed0:babe:baab:0:21a:4aff:fe10:4eaa': not found
>>EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at
>>'vm-101.example.com' AAAA
>>vm-101.example.com.' refused: unable to find active reverse zone for IP
>>address 'fec0:0:a10:4c00:21a:4aff:fe10:4eaa': not found
>>* There is no additional lines related with records above*
>>Current journal continues with removing records.
>>The only one change it the new script is checking status of records with
>>DNS query.
>>IMO expected behavior is, the A/AAAA records should stay untouched.
>>We can't test if records are there with this BIND behavior.
>I investigated deeper, this issue is somehow related with option
>--enable-dns-update (and enabled PTR SYNC).
>With this option, only A/AAAA records with PTR are updated.
>Without this option all A/AAAA records are updated (with or without PTR)
>Is this caused by SSSD?
I have no idea what the argument "--enable-dns-update" does.
I would recomment to compare generated sssd.conf.

There are 6 dynamic DNS related options in sssd.
sh$ man sssd-ipa | grep "dyndns_" | grep "("
           dyndns_update (boolean)
           dyndns_ttl (integer)
           dyndns_iface (string)
           dyndns_refresh_interval (integer)
           dyndns_update_ptr (bool)
           dyndns_force_tcp (bool)

You can find default values in sssd-ipa man page.



Freeipa-devel mailing list

Reply via email to