[Freeipa-devel] DNS improvements: Should we add some sanity checking?
Simo Sorce
simo at redhat.com
Fri Sep 13 16:17:51 UTC 2013
On Fri, 2013-09-13 at 09:29 +0200, Petr Spacek wrote:
> Hello list,
>
> Jan Pazdziora <jpazdziora at redhat.com> proposed that 'ipa dns*' commands should
> do some sanity checking/waiting after the record is added to LDAP.
>
> I think that it could be valuable and I would like to get opinions from
> freeipa-devel list.
>
>
> === The problem ===
> ipa dnsrecord-add and similar commands add the data to LDAP, but it doesn't
> mean that the data are *immediately* resolvable via DNS protocol. Note that
> data from LDAP are *asynchronously* read and processed by Named and the time
> when records are available is not predictable.
>
> A mismatch between LDAP can be caused by some connection problem between DNS
> and LDAP servers, LDAP or DNS server restart, or simply by a bug in DNS<->LDAP
> synchronization code. (This is becomming more and more important if we
> consider the whole DNSSEC effort and related re-factoring.)
>
> My experience is that users are very confused if the ipa dnsrecord-add command
> says 'record added' but it is still not available via DNS. It is really hard
> to debug when you see the problem first 10 times :-)
>
>
> === The proposal ===
> 1. Let FreeIPA framework to change DNS data in LDAP as we do now.
> 2. After each change, do DNS queries for changed record and wait until the new
> data are available.
>
> IMHO it is very cheap operation (in usual cases 1 DNS packet back and forth)
> and it would save a lot of headaches to users and support.
>
> This will naturally catch the case where named crashes after the change etc.
>
>
> === Expected outcome ===
> There will not be any failure like this:
>
> $ ipa-adtrust-install
>
> $ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN
> --admin-email="hostmaster@$AD_DOMAIN.com" --force --forwarder=$AD_IP
> --forward-policy=only --ip-address=$AD_IP
> Zone name: dom123.example.com
> [...]
>
> $ ipa trust-add --type=ad DOM123.EXAMPLE.COM --admin Administrator --password
> Password for admin at DOM123.EXAMPLE.COM:
> ipa: ERROR: Cannot find specified domain or server name
>
Would it make sense to change the code to use dynDNS update to add
records ?
Wouldn't that force named to be in sync ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list