[Freeipa-devel] DNS improvements: Should we add some sanity checking?

Martin Kosek mkosek at redhat.com
Mon Sep 16 07:06:02 UTC 2013


On 09/13/2013 06:17 PM, Simo Sorce wrote:
> On Fri, 2013-09-13 at 09:29 +0200, Petr Spacek wrote:
>> Hello list,
>>
>> Jan Pazdziora <jpazdziora at redhat.com> proposed that 'ipa dns*' commands should 
>> do some sanity checking/waiting after the record is added to LDAP.
>>
>> I think that it could be valuable and I would like to get opinions from 
>> freeipa-devel list.
>>
>>
>> === The problem ===
>> ipa dnsrecord-add and similar commands add the data to LDAP, but it doesn't 
>> mean that the data are *immediately* resolvable via DNS protocol. Note that 
>> data from LDAP are *asynchronously* read and processed by Named and the time 
>> when records are available is not predictable.
>>
>> A mismatch between LDAP can be caused by some connection problem between DNS 
>> and LDAP servers, LDAP or DNS server restart, or simply by a bug in DNS<->LDAP 
>> synchronization code. (This is becomming more and more important if we 
>> consider the whole DNSSEC effort and related re-factoring.)
>>
>> My experience is that users are very confused if the ipa dnsrecord-add command 
>> says 'record added' but it is still not available via DNS. It is really hard 
>> to debug when you see the problem first 10 times :-)
>>
>>
>> === The proposal ===
>> 1. Let FreeIPA framework to change DNS data in LDAP as we do now.
>> 2. After each change, do DNS queries for changed record and wait until the new 
>> data are available.
>>
>> IMHO it is very cheap operation (in usual cases 1 DNS packet back and forth) 
>> and it would save a lot of headaches to users and support.
>>
>> This will naturally catch the case where named crashes after the change etc.
>>
>>
>> === Expected outcome ===
>> There will not be any failure like this:
>>
>> $ ipa-adtrust-install
>>
>> $ ipa dnszone-add $AD_DOMAIN --name-server=advm.$AD_DOMAIN 
>> --admin-email="hostmaster@$AD_DOMAIN.com" --force --forwarder=$AD_IP 
>> --forward-policy=only --ip-address=$AD_IP
>> 	  Zone name: dom123.example.com
>> 	  [...]
>>
>> $ ipa trust-add --type=ad DOM123.EXAMPLE.COM --admin Administrator --password
>> 	Password for admin at DOM123.EXAMPLE.COM:
>> 	ipa: ERROR: Cannot find specified domain or server name
>>
> 
> Would it make sense to change the code to use dynDNS update to add
> records ?
> 
> Wouldn't that force named to be in sync ?
> 
> Simo.

Switching from LDAP modify operation to dynDNS update seems as a too big change
to me. If nothing else, it would not fly with our LDAP ACI/permission system
and ability to delegate DNS read/write rights to somebody else.

Martin




More information about the Freeipa-devel mailing list