On 29/04/15 15:40, David Kupka wrote:
On 04/29/2015 02:27 PM, Petr Spacek wrote:
I would like to discuss behavior change which is need for fixing ticket
"PTR record synchronization for A/AAAA record tuple can fail
Currently DNS clients receive SERVFAIL error if A/AAAA record is
respective reverse zone is not configured on the same IPA server.
See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR for
It seems to me that #155 is not fixable without following behavior
Client will *not* receive an error if reverse zone is not configured.
Would it be okay to do this change and *do not report an error if
reverse zone is not configured*?
Just for clarification:
If any A/AAAA record update failed, server will return SERVFAIL and
If all A/AAAA records were successfully added, just SRV record is not
created by dyndb-ldap, server returns NOERROR
nsupdate contains A/AAAA/PTR record, if PTR record update failed, server
will return SERVFAIL and rollback changes.
Yes. Client has always chance to check if the reverse records were
created or not. Additionally client only tries to add A/AAAA records
and doesn't know if there are any reverse zones or not.
Yes. Client has no information that PTR records should be created too.
We can just shown warning, the client has no reverse record (we need to
decide if this is right approach)
I think that it could be actually less confusing because it might be an
intentional configuration, too.
E.g. the IPA DNS server might be responsible only for 2 zones:
but it does not mean that the zone 'example.com.' cannot contain A/AAAA
records belonging to other reverse zones.
Currently any attempt to update A/AAAA record which does not belong
zone '2.0.192.in-addr.arpa.' ends with SERVFAIL message and
BIND internally splits update message with multiple requests (e.g.
add multiple A/AAAA records) to steps where one step is does 1 change
resource record at a time. Our plugin can see only separate steps and
whole update message.
Failure in any step terminates the update completely, rest of the update
message is not processed and error is returned to the client. On the
hand, we have no information beforehand if the currently processed
step is the
last one or not so it is impossible to reliably implement 'this
update is the
last one, report the error here' logic.
I do not see a way to change this without changes to BIND internals
it is not worth the effort.
Thank you for your time!
CCing Jakub as this can hit SSSD.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code