[Freeipa-users] IPA DNS response issue

[Petr Spacek]

On 18.3.2014 15:26, David wrote:
>
> Hi all -
> We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some
> odd behavior with respect to serving DNS.  Periodically (interval at random)
> named running on a replica will stop serving requests from the LDAP server but
> continue to respond with recursive requests.  This type of failure causes us
> problems, as you could imagine.  (It doesn't fail cleanly so it won't request
> from another server.)  We've adjusted the amount of connections each named
> makes to 389, but it doesn't seem to make a difference.  We're not seeing
> anything in the logs so troubleshooting this is becoming a bit of a
> (high-visibility) puzzle to us.
>
> I do happen to have a core file that I grabbed last night before sending a
> SIGKILL to named and restarting.  (A SIGTERM has no effect.)
>
> Hopefully there's an easy answer here that we can get rolled into the
> environment quickly.  FreeIPA has treated us extraordinarily well so far!
>
> David
>
>
>
> About our configuration:
>
> OS: CentOS 6.5, x86_64
>
> Packages:
> bind-9.8.2-0.23.rc1.el6_5.1.x86_64
> bind-dyndb-ldap-2.3-5.el6.x86_64
> ipa-server-3.0.0-37.el6.x86_64
>
>
> Configuration:
>
> bind-dyndb-ldap is used in conjunction with IPA 3.0.0-37.
>
> The version of bind is 9.8.2-0.23.rc1
>
> Our dynamic-db section of named.conf is as follows:
>
> ----
> dynamic-db "ipa" {
>            library "ldap.so";
>            arg "uri ldapi://%2fvar%2frun%2fslapd-XXX-XXX.socket";
>            arg "connections 10";
>            arg "base cn=dns, dc=XXX,dc=XXX";
>            arg "fake_mname XXX.ipa.hosted.zone.";
>            arg "auth_method sasl";
>            arg "sasl_mech GSSAPI";
>            arg "sasl_user DNS/XXX.ipa.hosted.zone";
>            arg "zone_refresh 0";
>            arg "psearch yes";
>            arg "serial_autoincrement yes";
>            arg "verbose_checks yes";
> };
> ----
>
> We do not have any text based or DLZ zones configured.
>
> We do not have any global forwarders configured.
>
> We do not have any settings in the global configuration object in LDAP.
>
> ----
> $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=XXX,dc=XXX' '(objectClass=idnsConfigObject)'
> SASL/GSSAPI authentication started
>
> ...
>
> # dns, XXX.XXX
> dn: cn=dns,dc=XXX,dc=XXX
> objectClass: idnsConfigObject
> objectClass: nsContainer
> objectClass: top
> cn: dns
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> ----

Note that David (I guess :-) added logs to the ticket
https://fedorahosted.org/bind-dyndb-ldap/ticket/131
and I'm looking into it.

-- 
Petr^2 Spacek