<html>
<head>
<meta content="text/html; charset=ISO-8859-2"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09/13/2013 09:29 AM, Petr Spacek
wrote:<br>
</div>
<blockquote cite="mid:5232BEDC.5000000@redhat.com" type="cite">Hello
list,
<br>
<br>
Jan Pazdziora <a class="moz-txt-link-rfc2396E" href="mailto:jpazdziora@redhat.com"><jpazdziora@redhat.com></a> proposed that 'ipa
dns*' commands should do some sanity checking/waiting after the
record is added to LDAP.
<br>
<br>
I think that it could be valuable and I would like to get opinions
from freeipa-devel list.
<br>
<br>
<br>
</blockquote>
+1!<br>
<br>
<blockquote cite="mid:5232BEDC.5000000@redhat.com" type="cite">===
The problem ===
<br>
ipa dnsrecord-add and similar commands add the data to LDAP, but
it doesn't mean that the data are *immediately* resolvable via DNS
protocol. Note that data from LDAP are *asynchronously* read and
processed by Named and the time when records are available is not
predictable.
<br>
<br>
A mismatch between LDAP can be caused by some connection problem
between DNS and LDAP servers, LDAP or DNS server restart, or
simply by a bug in DNS<->LDAP synchronization code. (This is
becomming more and more important if we consider the whole DNSSEC
effort and related re-factoring.)
<br>
<br>
My experience is that users are very confused if the ipa
dnsrecord-add command says 'record added' but it is still not
available via DNS. It is really hard to debug when you see the
problem first 10 times :-)
<br>
<br>
<br>
=== The proposal ===
<br>
1. Let FreeIPA framework to change DNS data in LDAP as we do now.
<br>
2. After each change, do DNS queries for changed record and wait
until the new data are available.
<br>
<br>
IMHO it is very cheap operation (in usual cases 1 DNS packet back
and forth) and it would save a lot of headaches to users and
support.
<br>
</blockquote>
<br>
We should make sure that we do not wait indefinitely here in case
there's something else wrong with the named.<br>
<br>
We could wait for DNS data to be made available up to small
reasonable timeout. If the check succeeds, we can output "Verified:
Yes" along with the usual ipa dns(whatever) command output.
Otherwise, we could print out "Verified: No"<br>
<br>
$ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN
--admin-email=<a class="moz-txt-link-rfc2396E" href="mailto:hostmaster@$AD_DOMAIN.com">"hostmaster@$AD_DOMAIN.com"</a> --force --forwarder=$AD_IP
--forward-policy=only --ip-address=$AD_IP<br>
<br>
Zone name: tbad.ipa.com<br>
Authoritative nameserver: advm.tbad.ipa.com<br>
Administrator e-mail address: hostmaster.tbad.ipa.com.com.<br>
SOA serial: 1378285614<br>
SOA refresh: 3600<br>
SOA retry: 900<br>
SOA expire: 1209600<br>
SOA minimum: 3600<br>
BIND update policy: grant DOM007.TBAD.IPA.COM krb5-self * A; grant
DOM007.TBAD.IPA.COM krb5-self * AAAA; grant<br>
DOM007.TBAD.IPA.COM krb5-self * SSHFP;<br>
Active zone: TRUE<br>
Dynamic update: FALSE<br>
Allow query: any;<br>
Allow transfer: none;<br>
Zone forwarders: 192.168.122.20<br>
Forward policy: only<br>
Verified: Yes<br>
<br>
However, it would be nice to print out "Verified: No" in a somewhat
emphasized manner. I created the following ticket:<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-2">
<a href="https://fedorahosted.org/freeipa/ticket/3930">https://fedorahosted.org/freeipa/ticket/3930</a><br>
<br>
<blockquote cite="mid:5232BEDC.5000000@redhat.com" type="cite">
<br>
This will naturally catch the case where named crashes after the
change etc.
<br>
<br>
<br>
=== Expected outcome ===
<br>
There will not be any failure like this:
<br>
<br>
</blockquote>
<br>
We debugged this with Petr few days ago as part of CI testing for
trusts, I'll just provide detailed explanation here:<br>
<br>
<blockquote cite="mid:5232BEDC.5000000@redhat.com" type="cite">$
ipa-adtrust-install
<br>
</blockquote>
<br>
Ipa-adtrust-install restarts Directory Server as one of the
installation steps. Named looses connection to the LDAP server and<br>
by default reconnects in 60 seconds.<br>
<br>
<blockquote cite="mid:5232BEDC.5000000@redhat.com" type="cite">
<br>
$ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN
--admin-email=<a class="moz-txt-link-rfc2396E" href="mailto:hostmaster@$AD_DOMAIN.com">"hostmaster@$AD_DOMAIN.com"</a> --force
--forwarder=$AD_IP --forward-policy=only --ip-address=$AD_IP
<br>
Zone name: dom123.example.com
<br>
[...]
<br>
<br>
</blockquote>
<br>
Ipa dnszone-add writes to LDAP and reports success.<br>
<br>
<blockquote cite="mid:5232BEDC.5000000@redhat.com" type="cite">$ ipa
trust-add --type=ad DOM123.EXAMPLE.COM --admin Administrator
--password
<br>
Password for <a class="moz-txt-link-abbreviated" href="mailto:admin@DOM123.EXAMPLE.COM">admin@DOM123.EXAMPLE.COM</a>:
<br>
ipa: ERROR: Cannot find specified domain or server name
<br>
<br>
</blockquote>
<br>
Named is unable to find the domain, since the connection is down.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org</pre>
</body>
</html>