[Freeipa-devel] IPA server resolv.conf

Petr Spacek pspacek at redhat.com
Mon Sep 17 09:18:53 UTC 2012 

On 09/17/2012 09:15 AM, Martin Kosek wrote:
> On 09/17/2012 09:06 AM, Petr Spacek wrote:
>> Discussion about patch "Set master_kdc and dns_lookup_kdc to true)" reminds one
>> related problem:
>>
>> Our server installer puts line "nameserver 127.0.0.1" to /etc/resolv.conf, but
>> this file should contain all (or three nearest) DNS servers in IPA domain.
>>
>> As a result, IPA server will work even after local named crash (which is not so
>> rare as I want :-().
>>
>> New ticket:
>> https://fedorahosted.org/freeipa/ticket/3085
>>
>> Martin, what do you think?
>>
>> How we can update resolv.conf to reflect replica addition/deletion?
>>
>> Should it be done manually? E.g. ipa-replica-install script can print "don't
>> forget to add this server to /etc/resolv.conf on other servers"?
>>
>> Petr^2 Spacek
>>
>
> It would not be difficult to pull a list of IPA masters with DNS support during
> ipa-{server,replica}-install and write more IPs to the resolv.conf. But I think
> there may be an issue when somebody willingly stop a remote replica or
> uninstall it. He would also need to remove it's IP from all resolv.confs in all
> replicas...
>
> Btw. why would IPA server fail when a local named crashes? A record in
> /etc/hosts we always add should still enable local IPA services to work or do I
> miss something?

Well... try it :-D "service named stop"

I didn't examine details of this problem, but my guess is Kerberos and reverse 
DNS lookups. Also, you need to resolve neighbouring replica IP and so on.


Name servers listed in resolv.conf are tried in order, so 127.0.0.1 should be 
on first place.

man resolv.conf:
nameserver Name server IP address
...  Up to MAXNS (currently  3,  see  <resolv.h>)  name  servers  may  be 
listed,  one  per  keyword.  If there are multiple servers, the resolver 
library queries them in the order listed.
...
(The algorithm used is to try a name server, and if the query times out, try 
the next, until out of name servers, then repeat trying all the name servers 
until a maximum number of retries are made.)


Also, some update mechanism for resolv.conf would be nice. We should provide 
"gen-recolv-conf.py script" at least, so admin can call it from cron or 
someting like that.

Petr^2 Spacek

More information about the Freeipa-devel mailing list