[Freeipa-users] Default TTL for DNS records

Petr Spacek pspacek at redhat.com
Tue Oct 22 07:02:14 UTC 2013 

On 21.10.2013 19:50, Stephen Ingram wrote:
> On Mon, Oct 21, 2013 at 9:37 AM, Petr Spacek <pspacek at redhat.com> wrote:
>> On 21.10.2013 17:58, Stephen Ingram wrote:
>>> On Sun, Oct 20, 2013 at 11:44 PM, Petr Spacek <pspacek at redhat.com> wrote:
>>>   On 18.10.2013 21:44, Stephen Ingram wrote:
>>>>
>>>>   I'm using IPA 3.0.x on RHEL 6.4 and trying to setup other zones in DNS.
>>>>> I
>>>>> notice that regardless of the TTL set in the SOA for the zone, the
>>>>> individual records default to 86400. I see there has been previous
>>>>> discussion on the list (
>>>>> https://www.redhat.com/****archives/freeipa-users/2012-**<https://www.redhat.com/**archives/freeipa-users/2012-**>
>>>>> November/msg00158.html<https:/**/www.redhat.com/archives/**
>>>>> freeipa-users/2012-November/**msg00158.html<https://www.redhat.com/archives/freeipa-users/2012-November/msg00158.html>
>>>>>>
>>>>>
>>>>> )
>>>>> saying that the 86400 value is hard-coded into bind-dyndb-ldap. It
>>>>> appears
>>>>> as though it might be rectified sometime in the 3.3.x series, however,
>>>>> I'm
>>>>> wondering if there is a workaround for now. Is there a way to just
>>>>> delete
>>>>> this value such that the individual records will default to the value in
>>>>> the SOA until a real fix comes along?
>>>>>
>>>>>
>>>> For now, the only workaround is to set TTL explicitly for all affected
>>>> DNS
>>>> names. Sorry!
>>>>
>>>> $ ipa dnsrecord-mod --help | grep ttl
>>>>     --ttl=INT             Time to live
>>>>
>>>> The most important thing is that SOA TTL is not related to default record
>>>> TTL by definition.
>>>>
>>>> Some details are described here:
>>>> https://www.redhat.com/****archives/freeipa-users/2012-**<https://www.redhat.com/**archives/freeipa-users/2012-**>
>>>> November/msg00160.html<https:/**/www.redhat.com/archives/**
>>>> freeipa-users/2012-November/**msg00160.html<https://www.redhat.com/archives/freeipa-users/2012-November/msg00160.html>
>>>>>
>>>>
>>>
>>>
>>> Am I reading this correctly then that you have to set for each *record* vs
>>>
>> I really meant *name*. "ipa dnsrecord-mod" operates on whole DNS name. (It
>> also means that all records under single *name* share the same TTL value.)
>
>
> That's what I thought. I was referring to a name as a record.
>
>
>>   the *zone*. If so, this makes the DNS part of IPA almost unusable except
>>> to
>>> those willing to stick with the default 86400 or write a script to handle
>>> each record in the zone. I've been following the list for some time, but
>>> haven't heard much about usage of the DNS component. And, among the users
>>> I
>>> speak with no one uses the DNS component. Perhaps this is the reason why?
>>> I
>>>
>> Up to now, nobody have told us that 'DNS part of IPA almost unusable'
>> without configuration option for default TTL, so it simply didn't get the
>> priority. We have seen stroger demand for DNS views, for example :-)
>
>
> Understood. Perhaps my use case is different than most. If I were using
> scripts, I don't think this would be much of an issue, however, with
> several UI users with varying levels of experience, it is difficult if you
> want to vary TTL per zone instead of per name. After reading the RFC
> referenced in the ticket I see now that the default TTL I was thinking was
> part of the SOA is actually a separate entity. And, thus, I now see why IPA
> needs to also make this distinction.
>
>>
>>   haven't looked at the code yet, but would this be that difficult to fix?
>>>   I
>>>
>> If you are okay with statically configured TTL for all zones, then it is
>> five-minute fix. (Simply change the current value and recompile or add a
>> new parameter to /etc/named.conf.)
>>
> Could you please point me to the code where this static definition happens?

Sure, look for "86400" in the sources :-)

Now seriously, you can change "#define DEFAULT_TTL 86400" in file 
src/ldap_entry.c and recompile the plugin.

>> If you want to define default TTL per-zone in LDAP, then you have to
>> define new attribute in LDAP schema, store the default TTL value in
>> zone_register and push it to record parser as necessary.
>>
>> In https://fedorahosted.org/bind-**dyndb-ldap/ticket/70#comment:7<https://fedorahosted.org/bind-dyndb-ldap/ticket/70#comment:7>you can see that we are trying to cooperate with schema/OID space owner to
>> find & standardize some solution.
>>
>> Any contribution is more than welcome! Join us in the ticket and we can
>> discuss various propsals.
>
>
> I see now why this is not a quick solution. I was unaware that the
> attribute to handle this default TTL didn't exist. It looks there are two
> ideas on the table (JHogarth and JCholasta) right now. But, from the ticket
> discussion, it looks like maybe the new attribute is being added instead
> and already in progress?

Yes, it is. We are trying to reach mutual agreement with schema/OID space owner.

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list