On 15.1.2015 20:49, Lukas Slebodnik wrote: > On (15/01/15 20:38), Martin Basti wrote: >> On 15/01/15 20:24, Martin Basti wrote: >>> On 15/01/15 17:13, David Kupka wrote: >>>> On 01/15/2015 03:22 PM, David Kupka wrote: >>>>> On 01/15/2015 12:43 PM, David Kupka wrote: >>>>>> On 01/12/2015 06:34 PM, Martin Basti wrote: >>>>>>> On 09/01/15 14:43, David Kupka wrote: >>>>>>>> On 01/07/2015 04:15 PM, Martin Basti wrote: >>>>>>>>> On 07/01/15 12:27, David Kupka wrote: >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4249 >>>>>>>>> >>>>>>>>> Thank you for patch: >>>>>>>>> >>>>>>>>> 1) >>>>>>>>> - root_logger.error("Cannot update DNS records! " >>>>>>>>> - "Failed to connect to server '%s'.", >>>>>>>>> server) >>>>>>>>> + ips = get_local_ipaddresses() >>>>>>>>> + except CalledProcessError as e: >>>>>>>>> + root_logger.error("Cannot update DNS records. %s" % e) >>>>>>>>> >>>>>>>>> IMO the error message should be more specific, add there something >>>>>>>>> like >>>>>>>>> "Unable to get local IP addresses". at least in log.debug() >>>>>>>>> >>>>>>>>> 2) >>>>>>>>> + lines = ipresult[0].replace('\\', '').split('\n') >>>>>>>>> >>>>>>>>> .replace() is not needed >>>>>>>>> >>>>>>>>> 3) >>>>>>>>> + if len(ips) == 0: >>>>>>>>> >>>>>>>>> if not ips: >>>>>>>>> >>>>>>>>> is more pythonic by PEP8 >>>>>>>>> >>>>>>>>> >>>>>>>> Thanks for catching these. Updated patch attached. >>>>>>>> >>>>>>> merciful NACK >>>>>>> >>>>>>> Thank you for the patch, unfortunately I hit one issue which needs >>>>>>> to be >>>>>>> resolved. >>>>>>> >>>>>>> If "sync PTR" is activated in zone settings, and reverse zone doesn't >>>>>>> exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print >>>>>>> Error message, 'DNS update failed'. In fact, all A/AAAA records was >>>>>>> succesfully updated, only PTR records failed. >>>>>>> >>>>>>> Bind log: >>>>>>> named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at >>>>>>> 'vm-101.example.com' AAAA >>>>>>> >>>>>>> named-pkcs11[28652]: PTR record synchronization (addition) for A/AAAA >>>>>>> 'vm-101.example.com.' refused: unable to find active reverse zone >>>>>>> for IP >>>>>>> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found >>>>>>> >>>>>>> With IPv6 we have several addresses from different reverse zones and >>>>>>> this situation may happen often. >>>>>>> I suggest following: >>>>>>> 1) Print list of addresses which will be updated. (Now if update >>>>>>> fails, >>>>>>> user needs to read log, which addresses installer tried to update) >>>>>>> 2) Split nsupdates per A/AAAA record. >>>>>>> 3a) If failed, check with DNS query if A/AAAA and PTR record are >>>>>>> there >>>>>>> and print proper error message >>>>>>> 3b) Just print A/AAAA (or PTR) record may not be updated for >>>>>>> particular >>>>>>> IP address. >>>>>>> >>>>>>> Any other suggestions are welcome. >>>>>>> >>>>>> >>>>>> After long discussion with DNS and UX guru I've implemented it this >>>>>> way: >>>>>> 1. Call nsupdate only once with all updates. >>>>>> 2. Verify that the expected records are resolvable. >>>>>> 3. If no print list of missing A/AAAA, list of missing PTR records and >>>>>> list to mismatched PTR record. >>>>>> >>>>>> As this is running inside client we can't much more and it's up to >>>>>> user >>>>>> to check what's rotten in his DNS setup. >>>>>> >>>>>> Updated patch attached. >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-devel mailing list >>>>>> [email protected] >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>> >>>>> >>>>> >>>>> One more change to behave well in -crazy- exotic environments that >>>>> resolves more PTR records for single IP. >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-devel mailing list >>>>> [email protected] >>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>> >>>> >>>> Yet another change to make language nerds and our UX guru happy :-) >>> Sorry, but NACK. >>> >>> 1) BIND/dyndb-ldap bug? (if sync_ptr is enabled) >>> + try: >>> + answers = dns.resolver.query(fqdn, record_type) >>> + except dns.resolver.NoAnswer: >>> + if record_type == dns.rdatatype.A: >>> + root_logger.debug('No A record for %s' % fqdn) >>> + elif record_type == dns.rdatatype.AAAA: >>> + root_logger.debug('No AAAA record for %s' % fqdn) >>> + except dns.exception.DNSException as e: >>> + root_logger.debug('DNS resolver error: ' % e) >>> + else: >>> + for rdata in answers: >>> + try: >>> + missing_ips.remove(rdata.address) >>> + except ValueError: >>> + extra_ips.append(rdata.address) >>> >>> This somehow doesn't work, for missing A/AAAA records (4 A/AAAA records >>> expected) >>> $host `hostname` >>> vm-024.example.com has address 10.16.78.24 >>> vm-024.example.com has IPv6 address fed0:babe:baab:0:21a:4aff:fe10:4e37 >>> But I get *no warning*. >>> >>> == Why == >>> Probably bug in BIND, all AAAA/A records *exists for several seconds*, then >>> bind remove all A/AAAA records without PTR record. >>> (Needs more investigation, maybe it is dependent on bind version, in >>> previous testing, the A/AAAA records stay untouched ) >>> >>> This it the older journal from the *same machine* with same packages, where >>> record without PTR haven't been deleted after few seconds >>> EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at >>> 'vm-101.example.com' A >>> EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at >>> 'vm-101.example.com' AAAA >>> EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at >>> 'vm-101.example.com' A >>> EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at >>> 'vm-101.example.com' AAAA >>> vm-101.example.com.' refused: unable to find active reverse zone for IP >>> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found >>> EXAMPLE.COM: updating zone 'idm.example.com/IN': adding an RR at >>> 'vm-101.example.com' AAAA >>> vm-101.example.com.' refused: unable to find active reverse zone for IP >>> address 'fed0:babe:baab:0:21a:4aff:fe10:4eaa': not found >>> EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at >>> 'vm-101.example.com' AAAA >>> vm-101.example.com.' refused: unable to find active reverse zone for IP >>> address 'fec0:0:a10:4c00:21a:4aff:fe10:4eaa': not found >>> * There is no additional lines related with records above* >>> >>> Current journal continues with removing records. >>> >>> The only one change it the new script is checking status of records with >>> DNS query. >>> >>> IMO expected behavior is, the A/AAAA records should stay untouched. >>> >>> We can't test if records are there with this BIND behavior. >>> >>> bind-9.9.6-6.P1.fc21.x86_64 >>> bind-dyndb-ldap-6.1-1.fc21.x86_64 >> >> I investigated deeper, this issue is somehow related with option >> --enable-dns-update (and enabled PTR SYNC). >> With this option, only A/AAAA records with PTR are updated. >> Without this option all A/AAAA records are updated (with or without PTR) >> >> Is this caused by SSSD? > I have no idea what the argument "--enable-dns-update" does. > I would recomment to compare generated sssd.conf. > > There are 6 dynamic DNS related options in sssd. > sh$ man sssd-ipa | grep "dyndns_" | grep "(" > dyndns_update (boolean) > dyndns_ttl (integer) > dyndns_iface (string) > dyndns_refresh_interval (integer) > dyndns_update_ptr (bool) > dyndns_force_tcp (bool) > > You can find default values in sssd-ipa man page.
For the record: This patch uncovers bug https://fedorahosted.org/bind-dyndb-ldap/ticket/155 Also, this patch is meaningless without https://fedorahosted.org/sssd/ticket/2555 ... so all three should be fixed in the same time frame. -- Petr^2 Spacek _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
