[Freeipa-users] SSSD dyndns_update on machine with multiple IP address

Jakub Hrozek jhrozek at redhat.com
Mon Mar 27 19:40:45 UTC 2017 

On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote:
> Hi,
> 
> Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA.
> Everything is fine on machines which have only one IP adress on network interface.
> I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address.
> 
> To reproduce the problem:
> Host have -IP1- and i add -IP2-
> ip addr add -IP2-/26 dev em1
> 
> ip addr list:
> em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc mq state UP qlen 1000
>     link/ether xxxx
>     inet -IP1-/26 brd XXXX scope global em1
>     inet -IP2-/26 scope global secondary em1
>        valid_lft forever preferred_lft forever
> 
> DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2-
> 
> In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)?
> 
> dyndns_update (boolean)
>            Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client.
>            The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise
>            specified by using the “dyndns_iface” option.
> 
> Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine?

Looks like this was a deliberate change:
    https://pagure.io/SSSD/sssd/issue/2558
but to be honest, I forgot why exactly we did this. Martin, do you know?

> Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)?

Only if the IP addresses are of different families (v4/v6), then it's
possible to restrict one of the families.

More information about the Freeipa-users mailing list