[Freeipa-devel] DNS improvements: Should we add some sanity checking?

Tomas Babej tbabej at redhat.com
Fri Sep 13 08:18:10 UTC 2013 

On 09/13/2013 09:29 AM, Petr Spacek wrote:
> Hello list,
>
> Jan Pazdziora <jpazdziora at redhat.com> proposed that 'ipa dns*' 
> commands should do some sanity checking/waiting after the record is 
> added to LDAP.
>
> I think that it could be valuable and I would like to get opinions 
> from freeipa-devel list.
>
>
+1!

> === The problem ===
> ipa dnsrecord-add and similar commands add the data to LDAP, but it 
> doesn't mean that the data are *immediately* resolvable via DNS 
> protocol. Note that data from LDAP are *asynchronously* read and 
> processed by Named and the time when records are available is not 
> predictable.
>
> A mismatch between LDAP can be caused by some connection problem 
> between DNS and LDAP servers, LDAP or DNS server restart, or simply by 
> a bug in DNS<->LDAP synchronization code. (This is becomming more and 
> more important if we consider the whole DNSSEC effort and related 
> re-factoring.)
>
> My experience is that users are very confused if the ipa dnsrecord-add 
> command says 'record added' but it is still not available via DNS. It 
> is really hard to debug when you see the problem first 10 times :-)
>
>
> === The proposal ===
> 1. Let FreeIPA framework to change DNS data in LDAP as we do now.
> 2. After each change, do DNS queries for changed record and wait until 
> the new data are available.
>
> IMHO it is very cheap operation (in usual cases 1 DNS packet back and 
> forth) and it would save a lot of headaches to users and support.

We should make sure that we do not wait indefinitely here in case 
there's something else wrong with the named.

We could wait for DNS data to be made available up to small reasonable 
timeout. If the check succeeds, we can output "Verified: Yes" along with 
the usual ipa dns(whatever) command output. Otherwise, we could print 
out "Verified: No"

$ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN 
--admin-email="hostmaster@$AD_DOMAIN.com" --force --forwarder=$AD_IP 
--forward-policy=only --ip-address=$AD_IP

   Zone name: tbad.ipa.com
   Authoritative nameserver: advm.tbad.ipa.com
   Administrator e-mail address: hostmaster.tbad.ipa.com.com.
   SOA serial: 1378285614
   SOA refresh: 3600
   SOA retry: 900
   SOA expire: 1209600
   SOA minimum: 3600
   BIND update policy: grant DOM007.TBAD.IPA.COM krb5-self * A; grant 
DOM007.TBAD.IPA.COM krb5-self * AAAA; grant
                       DOM007.TBAD.IPA.COM krb5-self * SSHFP;
   Active zone: TRUE
   Dynamic update: FALSE
   Allow query: any;
   Allow transfer: none;
   Zone forwarders: 192.168.122.20
   Forward policy: only
   Verified: Yes

However, it would be nice to print out "Verified: No" in a somewhat 
emphasized manner. I created the following ticket:

https://fedorahosted.org/freeipa/ticket/3930

>
> This will naturally catch the case where named crashes after the 
> change etc.
>
>
> === Expected outcome ===
> There will not be any failure like this:
>

We debugged this with Petr few days ago as part of CI testing for 
trusts, I'll just provide detailed explanation here:

> $ ipa-adtrust-install

Ipa-adtrust-install restarts Directory Server as one of the installation 
steps. Named looses connection to the LDAP server and
by default reconnects in 60 seconds.

>
> $ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN 
> --admin-email="hostmaster@$AD_DOMAIN.com" --force --forwarder=$AD_IP 
> --forward-policy=only --ip-address=$AD_IP
>       Zone name: dom123.example.com
>       [...]
>

Ipa dnszone-add writes to LDAP and reports success.

> $ ipa trust-add --type=ad DOM123.EXAMPLE.COM --admin Administrator 
> --password
>     Password for admin at DOM123.EXAMPLE.COM:
>     ipa: ERROR: Cannot find specified domain or server name
>

Named is unable to find the domain, since the connection is down.


-- 
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130913/358e377e/attachment.htm>

More information about the Freeipa-devel mailing list