[Freeipa-users] SRV (mixed?) records

Petr Spacek pspacek at redhat.com
Thu Nov 10 10:44:47 UTC 2016 

On 10.11.2016 11:32, lejeczek wrote:
> 
> 
> On 10/11/16 06:51, Petr Spacek wrote:
>> On 9.11.2016 16:57, lejeczek wrote:
>>>
>>> On 09/11/16 14:35, Martin Basti wrote:
>>>>
>>>> On 09.11.2016 15:33, lejeczek wrote:
>>>>>
>>>>> On 09/11/16 13:48, Martin Basti wrote:
>>>>>>
>>>>>> On 09.11.2016 14:11, lejeczek wrote:
>>>>>>>
>>>>>>> On 09/11/16 12:43, Martin Basti wrote:
>>>>>>>>
>>>>>>>> On 09.11.2016 12:15, lejeczek wrote:
>>>>>>>>>
>>>>>>>>> On 08/11/16 19:37, Martin Basti wrote:
>>>>>>>>>>
>>>>>>>>>> On 08.11.2016 19:41, lejeczek wrote:
>>>>>>>>>>> hi everyone
>>>>>>>>>>> when I look at my domain I see something which seems inconsistent to
>>>>>>>>>>> me (eg. work5 is not part of the domain, was --uninstalled)
>>>>>>>>>>> Do these record need fixing?
>>>>>>>>>>> I'm asking becuase one of the servers, despite the fact the ipa dns
>>>>>>>>>>> related toolkit(on that server) shows zone & records, to
>>>>>>>>>>> dig/host/etc. presents nothing, empty responses!??
>>>>>>>>>>>
>>>>>>>>>>> $ ipa dnsrecord-find xx.xx.xx.xx.x.
>>>>>>>>>>>    Record name: @
>>>>>>>>>>>    NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
>>>>>>>>>>>               dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _kerberos
>>>>>>>>>>>    TXT record: .xx.xx..xx.xx.x
>>>>>>>>>>>
>>>>>>>>>>>    Record name:
>>>>>>>>>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>>>>    SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>>>>    SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>>>>>
>>>>>>>>>>>    Record name:
>>>>>>>>>>> _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>>>>    SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _kerberos._tcp.dc._msdcs
>>>>>>>>>>>    SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _ldap._tcp.dc._msdcs
>>>>>>>>>>>    SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _kerberos._udp.dc._msdcs
>>>>>>>>>>>    SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _kerberos._tcp
>>>>>>>>>>>    SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>>>> 88 swir
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _kerberos-master._tcp
>>>>>>>>>>>    SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>>>> 88 swir
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _kpasswd._tcp
>>>>>>>>>>>    SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
>>>>>>>>>>> 464 whale
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _ldap._tcp
>>>>>>>>>>>    SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100
>>>>>>>>>>> 389 rider
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _kerberos._udp
>>>>>>>>>>>    SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>>>> 88 swir
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _kerberos-master._udp
>>>>>>>>>>>    SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>>>> 88 swir
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _kpasswd._udp
>>>>>>>>>>>    SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
>>>>>>>>>>> 464 whale
>>>>>>>>>>>
>>>>>>>>>>>    Record name: _ntp._udp
>>>>>>>>>>>    SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0
>>>>>>>>>>> 100 123 swir
>>>>>>>>>>>
>>>>>>>>>>> thanks.
>>>>>>>>>>> L.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> if server work5 is uninstalled, then work5 SRV records should be
>>>>>>>>>> removed.
>>>>>>>>>>
>>>>>>>>>> Martin
>>>>>>>>> Martin, would you be able suggest a way to troubleshoot that problem
>>>>>>>>> that one (only) server (rider) seems to present no data for the whole
>>>>>>>>> domain? Remaining servers correctly respond to any queries. One curious
>>>>>>>>> thing is that I $rndc trace 6; and (I see debug level changed in
>>>>>>>>> journalctl) I do not see anything in the logs when I query.
>>>>>>>>> Zone allows any to query it.
>>>>>>>>>
>>>>>>>>>
>>>>>>>> What dig @rider  command returns for SRV queries?
>>>>>>>>
>>>>>>> don't mind SRV records for now, it returns no record at all, it forwards
>>>>>>> and caches but not for the domain itself.
>>>>>>> on rider (suffice I point to other member server and records are there)
>>>>>>>
>>>>>>> $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100
>>>>>>>
>>>>>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x.
>>>>>>> @10.5.6.100
>>>>>>> ;; global options: +cmd
>>>>>>> ;; Sending:
>>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
>>>>>>> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>>>>>
>>>>>>> ;; OPT PSEUDOSECTION:
>>>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>>>> ;; QUESTION SECTION:
>>>>>>> ;.xx.xx..xx.xx.x. IN ANY
>>>>>>>
>>>>>>> ;; Got answer:
>>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
>>>>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>>>>>>
>>>>>>> ;; OPT PSEUDOSECTION:
>>>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>>>> ;; QUESTION SECTION:
>>>>>>> ;.xx.xx..xx.xx.x. IN ANY
>>>>>>>
>>>>>>> ;; AUTHORITY SECTION:
>>>>>>> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x.
>>>>>>> 1478696070 1800 900 604800 3600
>>>>>>>
>>>>>>> ;; Query time: 5 msec
>>>>>>> ;; SERVER: 10.5.6.100#53(10.5.6.100)
>>>>>>> ;; WHEN: Wed Nov 09 12:56:16 GMT 2016
>>>>>>> ;; MSG SIZE  rcvd: 120
>>>>>>>
>>>>>>> I obfuscated FQDNs but it seems like it forwards to a parent domain (to
>>>>>>> which it's supposed, by dnsforwardzone)
>>>>>>> And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all
>>>>>>> there.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> I'm lost now, I don't understand you, you told me that resolving on
>>>>>> 'rider' server doesn't work, then you write me that it is expected because
>>>>>> you have fowardzone set, but you cannot have forwardzone and master zone
>>>>>> for the same domain, IPA doesn't allow it, so I have no idea what is not
>>>>>> working for you. (You didn't make it easier by obfuscating output)
>>>>>>
>>>>>> Martin
>>>>> no no, sorry, I mean - it forwards whereas is should be authoritative for
>>>>> it's own FQDN.
>>>>> I realize it is not obvious after I obfuscated the output, but here:
>>>>>
>>>>> ;; AUTHORITY SECTION:
>>>>> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070
>>>>> 1800 900 604800 3600
>>>>>
>>>>> this looks like the only domain with is dnsforwardzone, everything else is
>>>>> dnszone
>>>>>
>>>>> parent.xx.xx. - is the only forward
>>>>> private.my.parent.xx.xx - it is IPA domain & dnszone
>>>>>
>>>>> I query private.my.parent.xx.xx and I get response as above.
>>>> Do you have proper zone delegation from parent zone? NS and A glue records?
>>> no, I don't have any dealings with "parent" domain, I forward to there so only
>>> those queries could go directly to NSes instead of to ROOTs.
>>> I do not really on that "parent" - I call it parent for only
>>> "logistically/visually" it appears as parent.
>>>> How your named.conf looks?
>>> Exactly the same as on the other three servers(IPA generated), I diffed it,
>>> only these are (respectively) different: fake_mname, sasl_user
>>> I think that one server simply forwards (to that dnsforwardzone) as if it had
>>> not any own zones, but why?? Would it be in the LDAP?
>> Do you have 'forwarders' statement in your named.conf?
>   forward first;
>   forwarders { };
> 
>>
>> If you have it, we might see a situation where LDAP plugin does not
>> load/connect to LDAP for whatever reason and only the global forwarding works.
>>
>> Alternatively it might be a problem described in
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.NozonesfromLDAPareloaded
>>
> it's a freaking bingo!
> 
> 0 master zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0
> failed to load)
> 0 master zones is suspicious number, please check access control instructions
> on LDAP server
> 
> now, well.. how to fix it?
> 
> $ ipa privilege-show 'DNS Servers' --all --raw
>   dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
>   cn: DNS Servers
>   description: DNS Servers
>   member:
> krbprincipalname=DNS/swir..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
> 
>   member:
> krbprincipalname=ipa-dnskeysyncd/swir..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
> 
>   member:
> krbprincipalname=DNS/whale..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
> 
>   member:
> krbprincipalname=ipa-dnskeysyncd/whale..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
> 
>   member:
> krbprincipalname=DNS/dzien..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
> 
>   member:
> krbprincipalname=ipa-dnskeysyncd/dzien..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
> 
>   memberof: cn=System: Read DNS
> Configuration,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
>   memberof: cn=System: Write DNS
> Configuration,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
>   memberof: cn=System: Add DNS
> Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
>   memberof: cn=System: Manage DNSSEC
> keys,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
>   memberof: cn=System: Manage DNSSEC
> metadata,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
>   memberof: cn=System: Read DNS
> Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
>   memberof: cn=System: Remove DNS
> Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
>   memberof: cn=System: Update DNS
> Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
>   objectClass: top
>   objectClass: groupofnames
>   objectClass: nestedgroup

This is non-standard situation so it asks for non-standard commands.

I would try:
$ ipa privilege-mod 'DNS Servers'
--addattr=member=krbprincipalname=DNS/rider..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x'
$ ipa privilege-mod 'DNS Servers'
--addattr=member=krbprincipalname=ipa-dnskeysyncd/rider..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x'

Be very careful when constructing these DNs, --addattr do not validate the input!

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list