[Freeipa-devel] [PATCH] 0645 ipa-replica-prepare: Wait for the DNS entry to be resolvable

Wed Sep 24 11:47:04 UTC 2014

On 09/23/2014 06:00 PM, Petr Spacek wrote:
> On 22.9.2014 14:09, Petr Viktorin wrote:
>> On 09/22/2014 01:48 PM, Petr Spacek wrote:
>>> On 22.9.2014 10:38, Martin Kosek wrote:
>>>> On 09/22/2014 10:31 AM, Petr Spacek wrote:
>>>>> On 22.9.2014 10:14, Martin Kosek wrote:
>>>>>> On 09/19/2014 07:29 PM, Petr Viktorin wrote:
>>>>>>> https://fedorahosted.org/freeipa/ticket/4551
>>>>>>>
>>>>>>> See ticket & commit message for details.
>>>>>>
>>>>>> Shouldn't we add a 1 sec sleep between tries? Wouldn't current
>>>>>> version just
>>>>>> hammer DNS server with as many DNS queries as it can send?
>>>>>
>>>>> Oh yes, please add some time.sleep() call :-)
>>
>> Wow, no idea how that slipped out. Thanks for the catch.
>>
>>>>> Also I would like to see more detailed message:
>>>>> +        self.log.info('Waiting for hostname %s to be resolvable',
>>>>> +                      self.replica_fqdn)
>>>>>
>>>>> => 'Waiting for hostname %s to be resolvable to A or AAAA record'
>>>>
>>>> <bikeshed>
>>>>
>>>> Really? Shouldn't term "resolvable" already have that covered? A good
>>>> software
>>>> should work on all network types, whether it is IPv4, IPv6 or IPv8.
>>>> So I
>>>> personally do not think we need to be that specific and can stick to
>>>> original
>>>> proposal.
>>>
>>> I will agree with you if you post magic code which will work with DNS
>>> records for IPv8 :-) The code is not going to work with IPv8 just
>>> because we didn't mention 'A/AAAA' in the error message, A and AAAA
>>> RRtypes are hardcoded in the code.
>>
>> +1; we're checking A and AAAA so that's what we should say we're doing.
>>
>> Is this wording OK?
> Little NACK. (However, the wording is fine.)
>
> Tcpdump revealed this:
>
> IP vm-117.test.34067 > vm-133.test.domain: 38467+ A? vm-092.test. (51)
> IP vm-133.test.domain > vm-117.test.34067: 38467 NXDomain* 0/1/0 (116)
> IP vm-117.test.36006 > vm-133.test.domain: 20194+ A?
> vm-092.test.ipa.example. (63)
> IP vm-133.test.domain > vm-117.test.36006: 20194 NXDomain* 0/1/0 (143)
> IP vm-117.test.51333 > vm-133.test.domain: 34027+ AAAA? vm-092.test. (51)
> IP vm-133.test.domain > vm-117.test.51333: 34027 NXDomain* 0/1/0 (116)
> IP vm-117.test.60373 > vm-133.test.domain: 45679+ AAAA?
> vm-092.test.ipa.example. (63)
>
> You can see that the query for each A/AAAA type is repeated twice, the
> second time with 'ipa.example.' suffix.
>
> This is caused by search list processing (search directive in
> /etc/resolv.conf) and is highly undesirable. (Read this [1] e-mail if
> you want to hear it from Paul Vixie.)
>
> The fix is simple: You have to be sure that self.replica_fqdn is
> actually absolute FQDN - with the trailing period.
>
> Naive solution would be to use
> dns_answer = resolver.query(self.replica_fqdn + '.', 'A', 'IN')
> but I don't know if self.replica_fqdn variable can contain trailing
> period or not.
>
> Mbasti can show you more advanced code snippets using 'dns.name'.
>
> [1]
> https://lists.dns-oarc.net/pipermail/dns-operations/2014-September/012157.html

Does this version look good?

-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0645.3-ipa-replica-prepare-Wait-for-the-DNS-entry-to-be-res.patch
Type: text/x-patch
Size: 4117 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140924/3209c13f/attachment.bin>