So I just debugged and fixed a problem that the technical fix for makes perfect sense to me... but why it never previous appeared makes no sense at all.
FreeIPA installation is 9 months old. Until recently it has always worked fine. * Always been on RHEL9 * Always had two core nodes that all sites sync from * Always had the same DNS domain string: "hostname.dept.internal.example.com" with each dept having 1 or more replicas "idm0.dept.internal.example.com" This morning I wake to reports that names in "internal.example.com" have disappeared. I look in DNS Zone data and everything is there, but sure enough "dig" returns nothing. So for the first time I peak under the hood at the named zones... and see that it started to refuse to load the internal zone at 12:18am today due to missing glue records for subzone NS delegations. Easy fix, I go and add 12 glue records for deeper NS records for the dept-level replicas. Bind/named-wise this is a no-brainer. (I'm a little surprised that FreeIPA doesn't do this for you, given that it manages the NS records itself... but I've not previously had reason to peek under the hood) However... why did this problem take 9 months to appear? I have all the logs from every instance for their entire history and this message has never once been logged prior to 12am today. 1. The FreeIPA software hasn't changed (RHEL is extremely conservative about changes between major versions) 2. The subdomain structure has never changed, other than addition of more departments and more replicas over time Has our FreeIPA instance gone sentient? Would it like more attention or something? (joking) On a serious note, this should absolutely be handled by FreeIPA. Since it manages the NS records, and it holds all the replica data, why is a human admin required to provide the glue records? -- Jo Rhett
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
