[Freeipa-users] Heads up on dynamic DNS TTL weird behaviour...

[James Hogarth]

Hey all,

Just a quick heads up in for the mailing list archive in case someone
bumps into this after drilling through it a bit in IRC on Friday...

If you are making use of --enable-dns-updates in ipa-client-install
and for whatever reason your client may change its address more often
than once per day after the first update other systems won't pick up
the change for 24 hours...

The cause is down to the difference in how the DNS record is
created/updated on the initial install versus SSSD handling it
later...

The initial install has a hardcoded TTL of 1200 set at line 957 of
/usr/sbin/ipa-client-install (as per Centos 6.3 current)... SSSD has a
hardcoded TTL set of 86400 in the provider ipa/ipa_dyndns.c (line 989
or thereabouts)...

The consequence is that when the system is first registered the DNS
record that gets created only has a TTL of 1200 but if the IP address
changes for that host then the record gets updated with a TTL of 86400
so that other DNS servers (or clients) will then have a day until it
times out (unless caches can be manually cleared) and the correct
address is found for any changes subsequent to that...

This is a bit of an edge case given you'd need 2 changes of IP address
since the initial registration and have SSSD configured to carry out
the DNS updates (rather than a dhcpd/bind integration for example) for
this to have an effect on the environment...

I have filed a bug and a patch with the SSSD mailing list/trac but
changing this locally requires a recompile of SSSD ....

Moving forwards I plan to expose TTL in the IPA UI and provide a
configurable value for TTL for both ipa-client-install and the sssd
updates ...

I'll update the list in a couple of weeks on any progress made...

Kind regards,

James