[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-27 Thread Nicholas Hinds via FreeIPA-users
Apparently this is a known design issue with bind-dyndb-ldap, the glue between bind/named and LDAP. https://bugzilla.redhat.com/show_bug.cgi?id=1071356 mentions this behaviour on startup, and the response was: > This is "expected" behavior for bind-dyndb-ldap version 4.0 and higher: > See

[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-27 Thread Nicholas Hinds via FreeIPA-users
This might not be entirely related to a FreeIPA upgrade. I have managed to reproduce this by sending lots of queries at bind/named while it's restarting (sudo service named-pkcs11 restart). Sometimes these queries during startup will get unlucky and return NXDOMAIN with invalid authority

[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-26 Thread Nicholas Hinds via FreeIPA-users
On Thu, Oct 26, 2017 at 9:17 AM Rob Crittenden wrote: > Nicholas Hinds wrote: > > I tried running `sudo service named-pkcs11 stop` before the yum update, > > but FreeIPA still returned NXDOMAIN responses temporarily. > > You want the service named. > That service does not

[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-26 Thread Nicholas Hinds via FreeIPA-users
I tried running `sudo service named-pkcs11 stop` before the yum update, but FreeIPA still returned NXDOMAIN responses temporarily. It seems like these responses occur about 10 seconds after the last log entry in /var/log/ipaupgrade.log ("The ipa-server-upgrade command was successful"). Based on

[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-26 Thread Rob Crittenden via FreeIPA-users
Nicholas Hinds wrote: > I tried running `sudo service named-pkcs11 stop` before the yum update, > but FreeIPA still returned NXDOMAIN responses temporarily. You want the service named. > It seems like these responses occur about 10 seconds after the last log > entry in /var/log/ipaupgrade.log

[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-24 Thread Rob Crittenden via FreeIPA-users
Nicholas Hinds via FreeIPA-users wrote: > During an upgrade from 4.5.0-21.el7.centos.1.2 > to 4.5.0-21.el7.centos.2.2 on a CentOS 7.4 machine, FreeIPA's DNS server > briefly returned NXDOMAIN for records which existed in FreeIPA. These > invalid responses were returned for a very short amount of