URL: https://github.com/SSSD/sssd/pull/66
Title: #66: Minor Dynamic DNS fixes
justin-stephenson commented:
"""
@fidencio
No problem, thanks for looking into this.
1. Once the DNS role is installed, create a Reverse Zone in the AD DNS
MMC(right click Reverse-Lookup zones and click New Zone)
2. The idea is that SSSD will create the forward A and reverse zone PTR records
when nsupdate gets called, the testing of this PR would be done with no
existing PTR record for this SSSD system.
3. Yes it is checked, I believe this checkbox only tells AD the update the IP
address of the PTR record when the forward A record address is manually updated
but this checkbox should not be relevant when there is no existing PTR record
3.1) Yes, because the problem is nsupdate will still not create the
Reverse PTR record when the TSIG error is encountered
4. Sorry, I don't quite follow this last question.
The root problem here is actually that the error `TSIG error with server: tsig
verify failure` can happen within nsupdate code even when the A/AAAA record is
successfully added. When this happens, the nsupdate child process returns
non-zero which causes SSSD to consider it a failure and abort the PTR record
update operation. I believe there are various reasons which can cause the error
mentioned above but I was able to reproduce one of them with the reproducer
steps mentioned here in the PR.
This fix will ignore the non-zero update and try to update the PTR record
regardless of the nsupdate return code. I am planning on submitting a bug to
nsupdate to address the root issue of why we have the TSIG error but in the
meantime I think it would be useful to make SSSD more capable of handling
updates even when there are errors which could happen with nsupdate.
Actually, the ticket **https://fedorahosted.org/sssd/ticket/3227** has a
comment from pspacek `If the update failed, the records will be incorrect in
any case. Personally I think we should try to update all record types and let
admins to deal with potential inconsistencies. `
Sorry for the long comment, feel free to continue the discussion on IRC or if
you have any questions let me know. Thank you @fidencio !
"""
See the full comment at
https://github.com/SSSD/sssd/pull/66#issuecomment-281097299
_______________________________________________
sssd-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
