Re: [Freeipa-users] sssd not updating reverse dns
On 11/14/2011 01:40 PM, Stephen Gallagher wrote: On Sun, 2011-11-13 at 19:19 +0100, Sigbjorn Lie wrote: On 11/13/2011 02:48 PM, Simo Sorce wrote: On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: Hi, I notice that when sssd is configured to update DNS, it's only updating the DNS forward zone, it's not updating the DNS reverse zone. And I cannot find any option for enabling updating of the reverse dns zone. Have I missed something? Or is updating the reverse zone not supported? It is not supported at this time. While we have a way to determine if your host has any right to update the machine A/ name because we can check if the host authenticated using a key of type host/@REALM we have no way to validate that a host has any right to update a PTR record. Allowing a host to change any PTR record in any reverse zone would be very disruptive as a compromised host could change PTR records for important servers. Ok, I see the issue. I notice ISC dhcpd adds a TXT record along with the updated record with a string that identifies that host record being "owned" by that dhcpd. And it does not attempt to update DNS if it cannot validate the content of the TXT record, or there already exists a record without a corresponding TXT record. Perhaps a similar approach could be applied to IPA? Using attributes in the LDAP DNS tree instead of TXT records.. ? SSSD doesn't user LDAP in any way while updating the DNS records. We actually just use GSS-TSIG to speak directly to the DNS server. We suggested using XML-RPC communication to the FreeIPA server at one point, but we decided that it was probably for the best to just stick with the standardized approach for now. The flip side of this is, of course, that we cannot update the PTR records (due to the security risks that Simo pointed out). So maybe we should consider putting this back on the table. We are trying to make sure (patches, configurations) that reverse resolution is disabled for kerberos and canonicalization does not use it by default as it is unreliable in any case. Yes, I've noticed. :) Authentication based on forward/reverse lookups aside, being able to look up reverse IP records does help troubleshooting. And it becomes almost a requirement for being able to manage IPv6 networks. It would be very nice to see reverse address update implemented in SSSD at some point. Is there already an open RFE? There is no RFE for this yet. Please feel free to open one at https://fedorahosted.org/sssd How about an option in SSSD for reverse update using the same GSS-TSIG, but turned off by default? IPA seem to ready for this by setting the "BIND update policy" and Dynamic update options under DNS -> reverse-zone -> Settings ? Hopefully the admin would configure the dhcp dynamic ip range outside of where he placed the servers, or have the clients on a different subnet than the servers. Where the server reverse zone can be disabled for dynamic updates, and the client reverse zone can be enabled for dynamic updates. At least having the option would be great. :) Besides, if the admin manages to configure his dhcp server so that duplicate IP address allocation occour, reverse dns will be the least of his problems. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd not updating reverse dns
On Mon, 2011-11-14 at 07:40 -0500, Stephen Gallagher wrote: > On Sun, 2011-11-13 at 19:19 +0100, Sigbjorn Lie wrote: > > On 11/13/2011 02:48 PM, Simo Sorce wrote: > > > On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: > > >> Hi, > > >> > > >> I notice that when sssd is configured to update DNS, it's only updating > > >> the DNS forward zone, it's not updating the DNS reverse zone. And I > > >> cannot find any option for enabling updating of the reverse dns zone. > > >> > > >> Have I missed something? Or is updating the reverse zone not supported? > > > It is not supported at this time. > > > While we have a way to determine if your host has any right to update > > > the machine A/ name because we can check if the host authenticated > > > using a key of type host/@REALM we have no way to validate that > > > a host has any right to update a PTR record. > > > > > > Allowing a host to change any PTR record in any reverse zone would be > > > very disruptive as a compromised host could change PTR records for > > > important servers. > > > > > Ok, I see the issue. > > > > I notice ISC dhcpd adds a TXT record along with the updated record with > > a string that identifies that host record being "owned" by that dhcpd. > > And it does not attempt to update DNS if it cannot validate the content > > of the TXT record, or there already exists a record without a > > corresponding TXT record. > > > > Perhaps a similar approach could be applied to IPA? Using attributes in > > the LDAP DNS tree instead of TXT records.. ? > > > > SSSD doesn't user LDAP in any way while updating the DNS records. We > actually just use GSS-TSIG to speak directly to the DNS server. We > suggested using XML-RPC communication to the FreeIPA server at one > point, but we decided that it was probably for the best to just stick > with the standardized approach for now. > > The flip side of this is, of course, that we cannot update the PTR > records (due to the security risks that Simo pointed out). So maybe we > should consider putting this back on the table. No, we made some vague plan to have a config option in LDAP and let bind-dyndb-ldap autonomously change the PTR record is the A/ record change was successful and we do control the reverse. This has one downside which is that the same DNS server must be authoritative and manage both direct and reverse maps, but it allows for a simpler client side. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd not updating reverse dns
On Sun, 2011-11-13 at 19:19 +0100, Sigbjorn Lie wrote: > On 11/13/2011 02:48 PM, Simo Sorce wrote: > > On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: > >> Hi, > >> > >> I notice that when sssd is configured to update DNS, it's only updating > >> the DNS forward zone, it's not updating the DNS reverse zone. And I > >> cannot find any option for enabling updating of the reverse dns zone. > >> > >> Have I missed something? Or is updating the reverse zone not supported? > > It is not supported at this time. > > While we have a way to determine if your host has any right to update > > the machine A/ name because we can check if the host authenticated > > using a key of type host/@REALM we have no way to validate that > > a host has any right to update a PTR record. > > > > Allowing a host to change any PTR record in any reverse zone would be > > very disruptive as a compromised host could change PTR records for > > important servers. > > > Ok, I see the issue. > > I notice ISC dhcpd adds a TXT record along with the updated record with > a string that identifies that host record being "owned" by that dhcpd. > And it does not attempt to update DNS if it cannot validate the content > of the TXT record, or there already exists a record without a > corresponding TXT record. > > Perhaps a similar approach could be applied to IPA? Using attributes in > the LDAP DNS tree instead of TXT records.. ? > SSSD doesn't user LDAP in any way while updating the DNS records. We actually just use GSS-TSIG to speak directly to the DNS server. We suggested using XML-RPC communication to the FreeIPA server at one point, but we decided that it was probably for the best to just stick with the standardized approach for now. The flip side of this is, of course, that we cannot update the PTR records (due to the security risks that Simo pointed out). So maybe we should consider putting this back on the table. > > We are trying to make sure (patches, configurations) that reverse > > resolution is disabled for kerberos and canonicalization does not use it > > by default as it is unreliable in any case. > Yes, I've noticed. :) Authentication based on forward/reverse lookups > aside, being able to look up reverse IP records does help > troubleshooting. And it becomes almost a requirement for being able to > manage IPv6 networks. > > It would be very nice to see reverse address update implemented in SSSD > at some point. Is there already an open RFE? There is no RFE for this yet. Please feel free to open one at https://fedorahosted.org/sssd signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd not updating reverse dns
On 11/13/2011 02:49 PM, Simo Sorce wrote: On Sat, 2011-11-12 at 16:10 +0100, Sigbjorn Lie wrote: On 11/12/2011 03:55 PM, Sigbjorn Lie wrote: Hi, I notice that when sssd is configured to update DNS, it's only updating the DNS forward zone, it's not updating the DNS reverse zone. And I cannot find any option for enabling updating of the reverse dns zone. Have I missed something? Or is updating the reverse zone not supported? When I restarted SSSD on one of the clients, named crashed on one of my ipa servers with the output below in the messages log file. Nov 12 16:01:02 ipa01 named[2770]: client 2021:472:dcdd:10:a00:27ff:fe0c:8283#55995: updating zone 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' A Nov 12 16:01:03 ipa01 named[2770]: zone ix.test.com/IN: sending notifies (serial 2012) Nov 12 16:01:03 ipa01 named[2770]: client 2021:472:dcdd:10:a00:27ff:fe0c:8283#44246: updating zone 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' Nov 12 16:01:03 ipa01 named[2770]: client 2021:472:dcdd:10:a00:27ff:fe0c:8283#39501: updating zone 'ix.test.com/IN': adding an RR at 'client8.ix.test.com' A Nov 12 16:01:03 ipa01 named[2770]: rdata.c:814: REQUIRE(rdata != ((void *)0)) failed, back trace Nov 12 16:01:03 ipa01 named[2770]: #0 0x7f3cc069145b in ?? Nov 12 16:01:03 ipa01 named[2770]: #1 0x7f3cbe9426da in ?? Nov 12 16:01:03 ipa01 named[2770]: #2 0x7f3cbff607ad in ?? Nov 12 16:01:03 ipa01 named[2770]: #3 0x7f3cba5cf218 in ?? Nov 12 16:01:03 ipa01 named[2770]: #4 0x7f3cba5d2fe0 in ?? Nov 12 16:01:03 ipa01 named[2770]: #5 0x7f3cba5cd758 in ?? Nov 12 16:01:03 ipa01 named[2770]: #6 0x7f3cbfee502b in ?? Nov 12 16:01:03 ipa01 named[2770]: #7 0x7f3cc06af84d in ?? Nov 12 16:01:03 ipa01 named[2770]: #8 0x7f3cc06b4824 in ?? Nov 12 16:01:03 ipa01 named[2770]: #9 0x7f3cbe9618c8 in ?? Nov 12 16:01:03 ipa01 named[2770]: #10 0x7f3cbe318b31 in ?? Nov 12 16:01:03 ipa01 named[2770]: #11 0x7f3cbd860d2d in ?? Nov 12 16:01:03 ipa01 named[2770]: exiting (due to assertion failure) Nov 12 16:01:03 ipa01 systemd[1]: named.service: main process exited, code=killed, status=6 Nov 12 16:04:50 ipa01 systemd[1]: Unit named.service entered failed state. Can you please install debuginfo packages for named and bind-dyndb-ldap, reproduce and open a bug agains the bind-dyndb-ldap component. We'll want to fix this issue ASAP. Simo. Ok, I've done that. I will let you know if/when it happens again. I also noticed that the "ipactl status" command still displayed: "DNS Service: RUNNING", even though the DNS service was crashed. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd not updating reverse dns
On 11/13/2011 02:48 PM, Simo Sorce wrote: On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: Hi, I notice that when sssd is configured to update DNS, it's only updating the DNS forward zone, it's not updating the DNS reverse zone. And I cannot find any option for enabling updating of the reverse dns zone. Have I missed something? Or is updating the reverse zone not supported? It is not supported at this time. While we have a way to determine if your host has any right to update the machine A/ name because we can check if the host authenticated using a key of type host/@REALM we have no way to validate that a host has any right to update a PTR record. Allowing a host to change any PTR record in any reverse zone would be very disruptive as a compromised host could change PTR records for important servers. Ok, I see the issue. I notice ISC dhcpd adds a TXT record along with the updated record with a string that identifies that host record being "owned" by that dhcpd. And it does not attempt to update DNS if it cannot validate the content of the TXT record, or there already exists a record without a corresponding TXT record. Perhaps a similar approach could be applied to IPA? Using attributes in the LDAP DNS tree instead of TXT records.. ? We are trying to make sure (patches, configurations) that reverse resolution is disabled for kerberos and canonicalization does not use it by default as it is unreliable in any case. Yes, I've noticed. :) Authentication based on forward/reverse lookups aside, being able to look up reverse IP records does help troubleshooting. And it becomes almost a requirement for being able to manage IPv6 networks. It would be very nice to see reverse address update implemented in SSSD at some point. Is there already an open RFE? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd not updating reverse dns
On Sat, 2011-11-12 at 16:10 +0100, Sigbjorn Lie wrote: > On 11/12/2011 03:55 PM, Sigbjorn Lie wrote: > > Hi, > > > > I notice that when sssd is configured to update DNS, it's only > > updating the DNS forward zone, it's not updating the DNS reverse zone. > > And I cannot find any option for enabling updating of the reverse dns > > zone. > > > > Have I missed something? Or is updating the reverse zone not supported? > > > > > > > > When I restarted SSSD on one of the clients, named crashed on one of my > ipa servers with the output below in the messages log file. > > > Nov 12 16:01:02 ipa01 named[2770]: client > 2021:472:dcdd:10:a00:27ff:fe0c:8283#55995: updating zone > 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' A > Nov 12 16:01:03 ipa01 named[2770]: zone ix.test.com/IN: sending notifies > (serial 2012) > Nov 12 16:01:03 ipa01 named[2770]: client > 2021:472:dcdd:10:a00:27ff:fe0c:8283#44246: updating zone > 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' > Nov 12 16:01:03 ipa01 named[2770]: client > 2021:472:dcdd:10:a00:27ff:fe0c:8283#39501: updating zone > 'ix.test.com/IN': adding an RR at 'client8.ix.test.com' A > Nov 12 16:01:03 ipa01 named[2770]: rdata.c:814: REQUIRE(rdata != ((void > *)0)) failed, back trace > Nov 12 16:01:03 ipa01 named[2770]: #0 0x7f3cc069145b in ?? > Nov 12 16:01:03 ipa01 named[2770]: #1 0x7f3cbe9426da in ?? > Nov 12 16:01:03 ipa01 named[2770]: #2 0x7f3cbff607ad in ?? > Nov 12 16:01:03 ipa01 named[2770]: #3 0x7f3cba5cf218 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #4 0x7f3cba5d2fe0 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #5 0x7f3cba5cd758 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #6 0x7f3cbfee502b in ?? > Nov 12 16:01:03 ipa01 named[2770]: #7 0x7f3cc06af84d in ?? > Nov 12 16:01:03 ipa01 named[2770]: #8 0x7f3cc06b4824 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #9 0x7f3cbe9618c8 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #10 0x7f3cbe318b31 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #11 0x7f3cbd860d2d in ?? > Nov 12 16:01:03 ipa01 named[2770]: exiting (due to assertion failure) > Nov 12 16:01:03 ipa01 systemd[1]: named.service: main process exited, > code=killed, status=6 > Nov 12 16:04:50 ipa01 systemd[1]: Unit named.service entered failed state. Can you please install debuginfo packages for named and bind-dyndb-ldap, reproduce and open a bug agains the bind-dyndb-ldap component. We'll want to fix this issue ASAP. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd not updating reverse dns
On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: > Hi, > > I notice that when sssd is configured to update DNS, it's only updating > the DNS forward zone, it's not updating the DNS reverse zone. And I > cannot find any option for enabling updating of the reverse dns zone. > > Have I missed something? Or is updating the reverse zone not supported? It is not supported at this time. While we have a way to determine if your host has any right to update the machine A/ name because we can check if the host authenticated using a key of type host/@REALM we have no way to validate that a host has any right to update a PTR record. Allowing a host to change any PTR record in any reverse zone would be very disruptive as a compromised host could change PTR records for important servers. We are trying to make sure (patches, configurations) that reverse resolution is disabled for kerberos and canonicalization does not use it by default as it is unreliable in any case. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd not updating reverse dns
On 11/12/2011 03:55 PM, Sigbjorn Lie wrote: Hi, I notice that when sssd is configured to update DNS, it's only updating the DNS forward zone, it's not updating the DNS reverse zone. And I cannot find any option for enabling updating of the reverse dns zone. Have I missed something? Or is updating the reverse zone not supported? When I restarted SSSD on one of the clients, named crashed on one of my ipa servers with the output below in the messages log file. Nov 12 16:01:02 ipa01 named[2770]: client 2021:472:dcdd:10:a00:27ff:fe0c:8283#55995: updating zone 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' A Nov 12 16:01:03 ipa01 named[2770]: zone ix.test.com/IN: sending notifies (serial 2012) Nov 12 16:01:03 ipa01 named[2770]: client 2021:472:dcdd:10:a00:27ff:fe0c:8283#44246: updating zone 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' Nov 12 16:01:03 ipa01 named[2770]: client 2021:472:dcdd:10:a00:27ff:fe0c:8283#39501: updating zone 'ix.test.com/IN': adding an RR at 'client8.ix.test.com' A Nov 12 16:01:03 ipa01 named[2770]: rdata.c:814: REQUIRE(rdata != ((void *)0)) failed, back trace Nov 12 16:01:03 ipa01 named[2770]: #0 0x7f3cc069145b in ?? Nov 12 16:01:03 ipa01 named[2770]: #1 0x7f3cbe9426da in ?? Nov 12 16:01:03 ipa01 named[2770]: #2 0x7f3cbff607ad in ?? Nov 12 16:01:03 ipa01 named[2770]: #3 0x7f3cba5cf218 in ?? Nov 12 16:01:03 ipa01 named[2770]: #4 0x7f3cba5d2fe0 in ?? Nov 12 16:01:03 ipa01 named[2770]: #5 0x7f3cba5cd758 in ?? Nov 12 16:01:03 ipa01 named[2770]: #6 0x7f3cbfee502b in ?? Nov 12 16:01:03 ipa01 named[2770]: #7 0x7f3cc06af84d in ?? Nov 12 16:01:03 ipa01 named[2770]: #8 0x7f3cc06b4824 in ?? Nov 12 16:01:03 ipa01 named[2770]: #9 0x7f3cbe9618c8 in ?? Nov 12 16:01:03 ipa01 named[2770]: #10 0x7f3cbe318b31 in ?? Nov 12 16:01:03 ipa01 named[2770]: #11 0x7f3cbd860d2d in ?? Nov 12 16:01:03 ipa01 named[2770]: exiting (due to assertion failure) Nov 12 16:01:03 ipa01 systemd[1]: named.service: main process exited, code=killed, status=6 Nov 12 16:04:50 ipa01 systemd[1]: Unit named.service entered failed state. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sssd not updating reverse dns
Hi, I notice that when sssd is configured to update DNS, it's only updating the DNS forward zone, it's not updating the DNS reverse zone. And I cannot find any option for enabling updating of the reverse dns zone. Have I missed something? Or is updating the reverse zone not supported? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users