[Freeipa-devel] DNS improvements: Should we add some sanity checking?

Petr Spacek pspacek at redhat.com
Fri Sep 13 07:29:32 UTC 2013 

Hello list,

Jan Pazdziora <jpazdziora at redhat.com> proposed that 'ipa dns*' commands should 
do some sanity checking/waiting after the record is added to LDAP.

I think that it could be valuable and I would like to get opinions from 
freeipa-devel list.


=== The problem ===
ipa dnsrecord-add and similar commands add the data to LDAP, but it doesn't 
mean that the data are *immediately* resolvable via DNS protocol. Note that 
data from LDAP are *asynchronously* read and processed by Named and the time 
when records are available is not predictable.

A mismatch between LDAP can be caused by some connection problem between DNS 
and LDAP servers, LDAP or DNS server restart, or simply by a bug in DNS<->LDAP 
synchronization code. (This is becomming more and more important if we 
consider the whole DNSSEC effort and related re-factoring.)

My experience is that users are very confused if the ipa dnsrecord-add command 
says 'record added' but it is still not available via DNS. It is really hard 
to debug when you see the problem first 10 times :-)


=== The proposal ===
1. Let FreeIPA framework to change DNS data in LDAP as we do now.
2. After each change, do DNS queries for changed record and wait until the new 
data are available.

IMHO it is very cheap operation (in usual cases 1 DNS packet back and forth) 
and it would save a lot of headaches to users and support.

This will naturally catch the case where named crashes after the change etc.


=== Expected outcome ===
There will not be any failure like this:

$ ipa-adtrust-install

$ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN 
--admin-email="hostmaster@$AD_DOMAIN.com" --force --forwarder=$AD_IP 
--forward-policy=only --ip-address=$AD_IP
	  Zone name: dom123.example.com
	  [...]

$ ipa trust-add --type=ad DOM123.EXAMPLE.COM --admin Administrator --password
	Password for admin at DOM123.EXAMPLE.COM:
	ipa: ERROR: Cannot find specified domain or server name

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list