[Freeipa-users] IPA DNS response issue

David freeipa-users at dstipp.mail.coolhack.net
Tue Mar 18 14:26:35 UTC 2014 

Hi all - 

We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some
odd behavior with respect to serving DNS.  Periodically (interval at random)
named running on a replica will stop serving requests from the LDAP server but
continue to respond with recursive requests.  This type of failure causes us
problems, as you could imagine.  (It doesn't fail cleanly so it won't request
from another server.)  We've adjusted the amount of connections each named
makes to 389, but it doesn't seem to make a difference.  We're not seeing
anything in the logs so troubleshooting this is becoming a bit of a
(high-visibility) puzzle to us.

I do happen to have a core file that I grabbed last night before sending a
SIGKILL to named and restarting.  (A SIGTERM has no effect.)

Hopefully there's an easy answer here that we can get rolled into the
environment quickly.  FreeIPA has treated us extraordinarily well so far!

David



About our configuration:

OS: CentOS 6.5, x86_64

Packages:
bind-9.8.2-0.23.rc1.el6_5.1.x86_64
bind-dyndb-ldap-2.3-5.el6.x86_64
ipa-server-3.0.0-37.el6.x86_64


Configuration:

bind-dyndb-ldap is used in conjunction with IPA 3.0.0-37.

The version of bind is 9.8.2-0.23.rc1

Our dynamic-db section of named.conf is as follows:

----
dynamic-db "ipa" {
           library "ldap.so";
           arg "uri ldapi://%2fvar%2frun%2fslapd-XXX-XXX.socket";
           arg "connections 10";
           arg "base cn=dns, dc=XXX,dc=XXX";
           arg "fake_mname XXX.ipa.hosted.zone.";
           arg "auth_method sasl";
           arg "sasl_mech GSSAPI";
           arg "sasl_user DNS/XXX.ipa.hosted.zone";
           arg "zone_refresh 0";
           arg "psearch yes";
           arg "serial_autoincrement yes";
           arg "verbose_checks yes";
};
----

We do not have any text based or DLZ zones configured.

We do not have any global forwarders configured.

We do not have any settings in the global configuration object in LDAP.

----
$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=XXX,dc=XXX' '(objectClass=idnsConfigObject)'
SASL/GSSAPI authentication started

...

# dns, XXX.XXX
dn: cn=dns,dc=XXX,dc=XXX
objectClass: idnsConfigObject
objectClass: nsContainer
objectClass: top
cn: dns

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
----

More information about the Freeipa-users mailing list