[Freeipa-devel] DNS improvements: Should we add some sanity checking?
Petr Viktorin
pviktori at redhat.com
Fri Sep 13 15:39:54 UTC 2013
On 09/13/2013 10:18 AM, Tomas Babej wrote:
> On 09/13/2013 09:29 AM, Petr Spacek wrote:
>> Hello list,
>>
>> Jan Pazdziora <jpazdziora at redhat.com> proposed that 'ipa dns*'
>> commands should do some sanity checking/waiting after the record is
>> added to LDAP.
>>
>> I think that it could be valuable and I would like to get opinions
>> from freeipa-devel list.
>>
>>
> +1!
>
>> === The problem ===
>> ipa dnsrecord-add and similar commands add the data to LDAP, but it
>> doesn't mean that the data are *immediately* resolvable via DNS
>> protocol. Note that data from LDAP are *asynchronously* read and
>> processed by Named and the time when records are available is not
>> predictable.
>>
>> A mismatch between LDAP can be caused by some connection problem
>> between DNS and LDAP servers, LDAP or DNS server restart, or simply by
>> a bug in DNS<->LDAP synchronization code. (This is becomming more and
>> more important if we consider the whole DNSSEC effort and related
>> re-factoring.)
>>
>> My experience is that users are very confused if the ipa dnsrecord-add
>> command says 'record added' but it is still not available via DNS. It
>> is really hard to debug when you see the problem first 10 times :-)
>>
>>
>> === The proposal ===
>> 1. Let FreeIPA framework to change DNS data in LDAP as we do now.
>> 2. After each change, do DNS queries for changed record and wait until
>> the new data are available.
>>
>> IMHO it is very cheap operation (in usual cases 1 DNS packet back and
>> forth) and it would save a lot of headaches to users and support.
>
> We should make sure that we do not wait indefinitely here in case
> there's something else wrong with the named.
>
> We could wait for DNS data to be made available up to small reasonable
> timeout. If the check succeeds, we can output "Verified: Yes" along with
> the usual ipa dns(whatever) command output. Otherwise, we could print
> out "Verified: No"
I think we should rather add an error message to the output:
http://www.freeipa.org/page/V3/Messages
> However, it would be nice to print out "Verified: No" in a somewhat
> emphasized manner. I created the following ticket:
>
> https://fedorahosted.org/freeipa/ticket/3930
Messages should already stand out so they won't get lost in the output.
(Which doesn't mean we can't also make them red, if someone wants to do
contribute that.)
--
Petr³
More information about the Freeipa-devel
mailing list