#158 update delete and update add are not atomic
Opened 9 years ago by adelton. Modified 7 years ago

Problem

When working on FreeIPA in container (https://github.com/adelton/docker-freeipa), upon every start of the container, it gets a new IP address. So as part of the startup script I run nsupdate to set its IP address to the current value so that it is correctly advertised through DNS.

I run

  update delete $HOSTNAME_FQDN A
  update add $HOSTNAME_FQDN 180 A $MY_IP
  send

but there seems a short window when the record is not there at all.

Steps to Reproduce

  # HOSTNAME_FQDN=$( hostname -f )
  # kdestroy -A
  # kinit -k
  # (
       echo "server 127.0.0.1"
       echo "update delete $HOSTNAME_FQDN A"
       MY_IP=${IPA_SERVER_IP:-$( /sbin/ip addr show | awk '/inet .*global/ { split($2,a,"/"); print a[1]; }' | head -1 )}
       echo "update add $HOSTNAME_FQDN 180 A $MY_IP"
       echo "send"
       echo "quit"
     ) | nsupdate -g ; host $HOSTNAME_FQDN ; sleep 1 ; host $HOSTNAME_FQDN

The output is

   Host ipa.example.test not found: 3(NXDOMAIN)
   ipa.example.test has address 172.17.0.14

I expect even the first {{{host}}} to see the value there.

Environment

  • Plugin version: bind-dyndb-ldap-4.5-1.fc20.x86_64

  • Version of ​BIND: bind-9.9.4-18.P2.fc20.x86_64

  • Distribution and version (i.e. including updates): Fedora 20 container image

  • Architecture: x86_64

  • Do you use bind-dyndb-ldap as part of ​FreeIPA installation? yes

  • Include dynamic-db section from configuration file /etc/named.conf:

    dynamic-db "ipa" {
    library "ldap.so";
    arg "uri ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket";
    arg "base cn=dns, dc=example,dc=test";
    arg "fake_mname ipa.example.test.";
    arg "auth_method sasl";
    arg "sasl_mech GSSAPI";
    arg "sasl_user DNS/ipa.example.test";
    arg "serial_autoincrement yes";
    };

  • Do you have some other text based or ​DLZ zones configured? No.

  • Do you have some global forwarders configured in BIND configuration file? (Statements forward and forwarders.) Yes.

  • Do you have some settings in global configuration object in LDAP? Please export configuration object to LDIF and attach it to the bug report. N/A


Thank you for the bug report. Unfortunatelly this is generally not fixable without support for LDAP transactions in the directory server. DNS update should be atomic ([2136 section 3.7]]([http://tools.ietf.org/html/rfc2136|RFC)) but currently there is no way to do that.

Related 389 DS ticket: https://fedorahosted.org/389/ticket/581

My hope was that certain operations in certain sequences sent through nsupdate could be put on hold and converted to other ones -- for example, delete A + add A 10.11.12.13 could be internally changed to add A 10.11.12.13 and then delete anything which is not 10.11.12.13.

Another possibility would be to notify bind to reload information only at the end of the nsupdate sequence, not after every change.

(Of course, I have no idea if these are remotely possible from technical point of view, just putting in some thoughts.)

The problem is that this coalescence of mod operations gives you nothing when you modify more than 1 name because these are distinct LDAP objects. Also, every modification to DNS database (I mean the in-memory database used by BIND) has to be accompanied with SOA serial number bump and this is almost always separate LDAP object (unless you modify zone apex).

We certainly can try various tricks to cover specific cases (like records for single owner name) but all these 'tricks' will raise likelihood that LDAP and DNS database will end out of sync and at the same time no number of tricks can cover case where more than 1 LDAP object was modified.

Having said that, I would rather invest time in LDAP transactions and proper fix instead of adding layers of hacks/"newspaper" to cover the underlying deficiency.

Metadata Update from @adelton:
- Issue assigned to someone
- Issue set to the milestone: The Backlog

7 years ago

Login to comment on this ticket.

Metadata