[Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.

Martin Basti mbasti at redhat.com
Thu Jan 15 19:38:22 UTC 2015 

On 15/01/15 20:24, Martin Basti wrote:
> On 15/01/15 17:13, David Kupka wrote:
>> On 01/15/2015 03:22 PM, David Kupka wrote:
>>> On 01/15/2015 12:43 PM, David Kupka wrote:
>>>> On 01/12/2015 06:34 PM, Martin Basti wrote:
>>>>> On 09/01/15 14:43, David Kupka wrote:
>>>>>> On 01/07/2015 04:15 PM, Martin Basti wrote:
>>>>>>> On 07/01/15 12:27, David Kupka wrote:
>>>>>>>> https://fedorahosted.org/freeipa/ticket/4249
>>>>>>>
>>>>>>> Thank you for patch:
>>>>>>>
>>>>>>> 1)
>>>>>>> -        root_logger.error("Cannot update DNS records! "
>>>>>>> -                          "Failed to connect to server '%s'.",
>>>>>>> server)
>>>>>>> +        ips = get_local_ipaddresses()
>>>>>>> +    except CalledProcessError as e:
>>>>>>> +        root_logger.error("Cannot update DNS records. %s" % e)
>>>>>>>
>>>>>>> IMO the error message should be more specific,  add there something
>>>>>>> like
>>>>>>> "Unable to get local IP addresses". at least in log.debug()
>>>>>>>
>>>>>>> 2)
>>>>>>> +    lines = ipresult[0].replace('\\', '').split('\n')
>>>>>>>
>>>>>>> .replace() is not needed
>>>>>>>
>>>>>>> 3)
>>>>>>> +    if len(ips) == 0:
>>>>>>>
>>>>>>> if not ips:
>>>>>>>
>>>>>>> is more pythonic by PEP8
>>>>>>>
>>>>>>>
>>>>>> Thanks for catching these. Updated patch attached.
>>>>>>
>>>>> merciful NACK
>>>>>
>>>>> Thank you for the patch, unfortunately I hit one issue which needs 
>>>>> to be
>>>>> resolved.
>>>>>
>>>>> If "sync PTR" is activated in zone settings, and reverse zone doesn't
>>>>> exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print
>>>>> Error message, 'DNS update failed'. In fact, all A/AAAA records was
>>>>> succesfully updated, only PTR records failed.
>>>>>
>>>>> Bind log:
>>>>> named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at
>>>>> 'vm-101.example.com' AAAA
>>>>>
>>>>> named-pkcs11[28652]: PTR record synchronization (addition) for A/AAAA
>>>>> 'vm-101.example.com.' refused: unable to find active reverse zone 
>>>>> for IP
>>>>> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found
>>>>>
>>>>> With IPv6 we have several addresses from different reverse zones and
>>>>> this situation may happen often.
>>>>> I suggest following:
>>>>> 1) Print list of addresses which will be updated. (Now if update 
>>>>> fails,
>>>>> user needs to read log, which addresses installer tried to update)
>>>>> 2) Split nsupdates per A/AAAA record.
>>>>> 3a) If failed, check with DNS query if A/AAAA and PTR record are 
>>>>> there
>>>>> and print proper error message
>>>>> 3b) Just print A/AAAA (or PTR) record may not be updated for 
>>>>> particular
>>>>> IP address.
>>>>>
>>>>> Any other suggestions are welcome.
>>>>>
>>>>
>>>> After long discussion with DNS and UX guru I've implemented it this 
>>>> way:
>>>> 1. Call nsupdate only once with all updates.
>>>> 2. Verify that the expected records are resolvable.
>>>> 3. If no print list of missing A/AAAA, list of missing PTR records and
>>>> list to mismatched PTR record.
>>>>
>>>> As this is running inside client we can't much more and it's up to 
>>>> user
>>>> to check what's rotten in his DNS setup.
>>>>
>>>> Updated patch attached.
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>
>>>
>>>
>>> One more change to behave well in -crazy- exotic environments that
>>> resolves more PTR records for single IP.
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>
>> Yet another change to make language nerds and our UX guru happy :-)
> Sorry, but NACK.
>
> 1) BIND/dyndb-ldap bug? (if sync_ptr is enabled)
> +        try:
> +            answers = dns.resolver.query(fqdn, record_type)
> +        except dns.resolver.NoAnswer:
> +            if record_type == dns.rdatatype.A:
> +                root_logger.debug('No A record for %s' % fqdn)
> +            elif record_type == dns.rdatatype.AAAA:
> +                root_logger.debug('No AAAA record for %s' % fqdn)
> +        except dns.exception.DNSException as e:
> +            root_logger.debug('DNS resolver error: ' % e)
> +        else:
> +            for rdata in answers:
> +                try:
> +                    missing_ips.remove(rdata.address)
> +                except ValueError:
> +                    extra_ips.append(rdata.address)
>
> This somehow doesn't work, for missing A/AAAA records (4 A/AAAA 
> records expected)
> $host `hostname`
> vm-024.example.com has address 10.16.78.24
> vm-024.example.com has IPv6 address fed0:babe:baab:0:21a:4aff:fe10:4e37
> But I get *no warning*.
>
> == Why ==
> Probably bug in BIND, all AAAA/A records *exists for several seconds*, 
> then bind remove all A/AAAA records without PTR record.
> (Needs more investigation, maybe it is dependent on bind version, in 
> previous testing, the A/AAAA records stay untouched )
>
> This it the older journal from the *same machine* with same packages, 
> where record without PTR haven't been deleted after few seconds
> EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 
> 'vm-101.example.com' A
> EXAMPLE.COM: updating zone 'example.com/IN': deleting rrset at 
> 'vm-101.example.com' AAAA
> EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 
> 'vm-101.example.com' A
> EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 
> 'vm-101.example.com' AAAA
> vm-101.example.com.' refused: unable to find active reverse zone for 
> IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found
> EXAMPLE.COM: updating zone 'idm.example.com/IN': adding an RR at 
> 'vm-101.example.com' AAAA
> vm-101.example.com.' refused: unable to find active reverse zone for 
> IP address 'fed0:babe:baab:0:21a:4aff:fe10:4eaa': not found
> EXAMPLE.COM: updating zone 'example.com/IN': adding an RR at 
> 'vm-101.example.com' AAAA
> vm-101.example.com.' refused: unable to find active reverse zone for 
> IP address 'fec0:0:a10:4c00:21a:4aff:fe10:4eaa': not found
> * There is no additional lines related with records above*
>
> Current journal continues with removing records.
>
> The only one change it the new script is checking status of records 
> with DNS query.
>
> IMO expected behavior is, the A/AAAA records should stay untouched.
>
> We can't test if records are there with this BIND behavior.
>
> bind-9.9.6-6.P1.fc21.x86_64
> bind-dyndb-ldap-6.1-1.fc21.x86_64

I investigated deeper, this issue is somehow related with option 
--enable-dns-update (and enabled PTR SYNC).
With this option, only A/AAAA records with PTR are updated.
Without this option all A/AAAA records are updated (with or without PTR)

Is this caused by SSSD?

>
> 2)
> You should also catch
> NXDOMAIN - the query name does not exist
> exception instead of NoAnswer, to have proper debug results. NoAnswer 
> means that the resolver doesnt respond.
>
> Can you also print to debug log, which addresses you test?
>
> 3)
> +        except dns.exception.DNSException as e:
> +            root_logger.debug('DNS resolver error: ' % e)
>
> This will not work, dns python exceptions doesn't contain any text
>
> Log:
> 2015-01-15T17:42:44Z DEBUG DNS resolver error:
> 2015-01-15T17:42:46Z DEBUG DNS resolver error:
> 2015-01-15T17:42:46Z DEBUG DNS resolver error:
>


-- 
Martin Basti

More information about the Freeipa-devel mailing list