[Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.

David Kupka dkupka at redhat.com
Thu Jan 15 11:43:43 UTC 2015 

On 01/12/2015 06:34 PM, Martin Basti wrote:
> On 09/01/15 14:43, David Kupka wrote:
>> On 01/07/2015 04:15 PM, Martin Basti wrote:
>>> On 07/01/15 12:27, David Kupka wrote:
>>>> https://fedorahosted.org/freeipa/ticket/4249
>>>
>>> Thank you for patch:
>>>
>>> 1)
>>> -        root_logger.error("Cannot update DNS records! "
>>> -                          "Failed to connect to server '%s'.", server)
>>> +        ips = get_local_ipaddresses()
>>> +    except CalledProcessError as e:
>>> +        root_logger.error("Cannot update DNS records. %s" % e)
>>>
>>> IMO the error message should be more specific,  add there something like
>>> "Unable to get local IP addresses". at least in log.debug()
>>>
>>> 2)
>>> +    lines = ipresult[0].replace('\\', '').split('\n')
>>>
>>> .replace() is not needed
>>>
>>> 3)
>>> +    if len(ips) == 0:
>>>
>>> if not ips:
>>>
>>> is more pythonic by PEP8
>>>
>>>
>> Thanks for catching these. Updated patch attached.
>>
> merciful NACK
>
> Thank you for the patch, unfortunately I hit one issue which needs to be
> resolved.
>
> If "sync PTR" is activated in zone settings, and reverse zone doesn't
> exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print
> Error message, 'DNS update failed'. In fact, all A/AAAA records was
> succesfully updated, only PTR records failed.
>
> Bind log:
> named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at
> 'vm-101.example.com' AAAA
>
> named-pkcs11[28652]: PTR record synchronization (addition) for A/AAAA
> 'vm-101.example.com.' refused: unable to find active reverse zone for IP
> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found
>
> With IPv6 we have several addresses from different reverse zones and
> this situation may happen often.
> I suggest following:
> 1) Print list of addresses which will be updated. (Now if update fails,
> user needs to read log, which addresses installer tried to update)
> 2) Split nsupdates per A/AAAA record.
> 3a) If failed, check with DNS query if A/AAAA and PTR record are there
> and print proper error message
> 3b) Just print A/AAAA (or PTR) record may not be updated for particular
> IP address.
>
> Any other suggestions are welcome.
>

After long discussion with DNS and UX guru I've implemented it this way:
1. Call nsupdate only once with all updates.
2. Verify that the expected records are resolvable.
3. If no print list of missing A/AAAA, list of missing PTR records and 
list to mismatched PTR record.

As this is running inside client we can't much more and it's up to user 
to check what's rotten in his DNS setup.

Updated patch attached.
-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-dkupka-0035-3-client-Update-DNS-with-all-available-local-IP-addres.patch
Type: text/x-patch
Size: 8172 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150115/2030231c/attachment.bin>

More information about the Freeipa-devel mailing list