[Freeipa-users] Question About Properly Configuring DNS

Wed Oct 29 08:56:21 UTC 2014

On 27.10.2014 19:15, Simo Sorce wrote:
> On Mon, 27 Oct 2014 17:50:13 +0000
> "Trevor T Kates (Services - 6)" <trevor.t.kates at dom.com> wrote:
>
>>> -----Original Message-----
>>> From: Simo Sorce [mailto:simo at redhat.com]
>>> Sent: Monday, October 27, 2014 12:30 PM
>>> To: Trevor T Kates (Services - 6)
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Question About Properly Configuring DNS
>>>
>>> On Mon, 27 Oct 2014 14:07:42 +0000
>>> "Trevor T Kates (Services - 6)" <trevor.t.kates at dom.com> wrote:
>>>
>>>> Hi, all:
>>>>
>>>> I have four servers (two in one location, two in another) running
>>>> IPA 3.0 set to replicate like so:
>>>>
>>>> Location A Server 1 - - - - - - - - Location B Server 1
>>>>                |                                            |
>>>>                |                                            |
>>>>                |                                            |
>>>>                |                                            |
>>>> Location A Server 2 - - - - - - - - Location B Server 2
>>>>
>>>> Each server has DNS configured; however, I think I have configured
>>>> something inappropriately with respect to authoritative records.
>>>>
>>>> I have eight zones configured and ipa dnszone-show for any one of
>>>> them has Location B Server 1's name as authoritative. In each of
>>>> the eight zones, I have added NS records for the other three
>>>> servers. On all of the servers except Location B Server
>>>> 1, /var/log/messages will show:
>>>>
>>>> client x.xxx.x.xxx#14366: received notify for zone
>>>> 'x.xxx.x.in-addr.arpa': not authoritative
>>>>
>>>> This occurs for most, but not all, zones. Along with this:
>>>>
>>>> LDAP query timed out. Try to adjust "timeout" parameter
>>>> update_record (psearch) failed, dn
>>>> 'idnsname=xxx,idnsname=x.xxx.xx.in-addr.arpa.,cn=dns,dc=example,dc=com'
>>>> change type 0x0. Records can be outdated, run `rndc reload`: not
>>>> found
>>>>
>>>> I feel like I've misconfigured a few things along the way and I'd
>>>> love some help. Along with that if anyone has recommendations on
>>>> things I should read to help me better understand what I should be
>>>> doing with DNS, I'd appreciate it.
>>>
>>> Uhmm sounds like a bug in reloading the info in the bind ldap
>>> plugin.
>>>
>>> Can you restart named on one of the other servers and tell if the
>>> warning goes away and/or if the client returns that server as
>>> authoritative after the bounce ?
>>>
>>> Simo.
>>>
>>> --
>>> Simo Sorce * Red Hat, Inc * New York
>>
>> Upon restarting named, 'not authoritative' is not present for any of
>> the zones and dig on clients shows all of the servers as
>> authoritative. The restart of named did not always go cleanly,
>> however. Sometimes, the same timeout issue as before would present
>> itself. Should I not worry about those?
>
> Ok would you be able to opne a bug (bugzilla or trac, either is fine)
> for the 2 issues ?
>
> One seem to be that changing the NS record is not causing a proper
> change in authoritative status.
> The second should be about the timeout error you are seeing.

Please keep in mind that bind-dyndb-ldap just reads data from LDAP so 
naturally changes done in LDAP are not visible in DNS if directory server is 
not working properly.

Default LDAP search timeout used by bind-dyndb-ldap is 60 seconds which is *a 
lot*, i.e. it should not happen at all.

I would recommend you to dig in directory server logs /var/log/dirsrv/ to see 
if there is a problem before you open a bind-dyndb-ldap bug - I would point 
you to DS logs anyway :-)

Do you see high CPU/memory utilization or something like that? Does the LDAP 
server respond to normal LDAP query when you see messages like "LDAP query 
timeout"?

Which version of bind-dyndb-ldap and 389-ds-base do you use?

-- 
Petr^2 Spacek