[Freeipa-devel] DNS improvements: Should we add some sanity checking?

Simo Sorce simo at redhat.com
Fri Sep 13 16:17:51 UTC 2013 

On Fri, 2013-09-13 at 09:29 +0200, Petr Spacek wrote:
> Hello list,
> 
> Jan Pazdziora <jpazdziora at redhat.com> proposed that 'ipa dns*' commands should 
> do some sanity checking/waiting after the record is added to LDAP.
> 
> I think that it could be valuable and I would like to get opinions from 
> freeipa-devel list.
> 
> 
> === The problem ===
> ipa dnsrecord-add and similar commands add the data to LDAP, but it doesn't 
> mean that the data are *immediately* resolvable via DNS protocol. Note that 
> data from LDAP are *asynchronously* read and processed by Named and the time 
> when records are available is not predictable.
> 
> A mismatch between LDAP can be caused by some connection problem between DNS 
> and LDAP servers, LDAP or DNS server restart, or simply by a bug in DNS<->LDAP 
> synchronization code. (This is becomming more and more important if we 
> consider the whole DNSSEC effort and related re-factoring.)
> 
> My experience is that users are very confused if the ipa dnsrecord-add command 
> says 'record added' but it is still not available via DNS. It is really hard 
> to debug when you see the problem first 10 times :-)
> 
> 
> === The proposal ===
> 1. Let FreeIPA framework to change DNS data in LDAP as we do now.
> 2. After each change, do DNS queries for changed record and wait until the new 
> data are available.
> 
> IMHO it is very cheap operation (in usual cases 1 DNS packet back and forth) 
> and it would save a lot of headaches to users and support.
> 
> This will naturally catch the case where named crashes after the change etc.
> 
> 
> === Expected outcome ===
> There will not be any failure like this:
> 
> $ ipa-adtrust-install
> 
> $ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN 
> --admin-email="hostmaster@$AD_DOMAIN.com" --force --forwarder=$AD_IP 
> --forward-policy=only --ip-address=$AD_IP
> 	  Zone name: dom123.example.com
> 	  [...]
> 
> $ ipa trust-add --type=ad DOM123.EXAMPLE.COM --admin Administrator --password
> 	Password for admin at DOM123.EXAMPLE.COM:
> 	ipa: ERROR: Cannot find specified domain or server name
> 

Would it make sense to change the code to use dynDNS update to add
records ?

Wouldn't that force named to be in sync ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list