Learn more about these different git repos.
Other Git URLs
When working on FreeIPA in container (https://github.com/adelton/docker-freeipa), upon every start of the container, it gets a new IP address. So as part of the startup script I run nsupdate to set its IP address to the current value so that it is correctly advertised through DNS.
I run
update delete $HOSTNAME_FQDN A update add $HOSTNAME_FQDN 180 A $MY_IP send
but there seems a short window when the record is not there at all.
# HOSTNAME_FQDN=$( hostname -f ) # kdestroy -A # kinit -k # ( echo "server 127.0.0.1" echo "update delete $HOSTNAME_FQDN A" MY_IP=${IPA_SERVER_IP:-$( /sbin/ip addr show | awk '/inet .*global/ { split($2,a,"/"); print a[1]; }' | head -1 )} echo "update add $HOSTNAME_FQDN 180 A $MY_IP" echo "send" echo "quit" ) | nsupdate -g ; host $HOSTNAME_FQDN ; sleep 1 ; host $HOSTNAME_FQDN
The output is
Host ipa.example.test not found: 3(NXDOMAIN) ipa.example.test has address 172.17.0.14
I expect even the first {{{host}}} to see the value there.
Plugin version: bind-dyndb-ldap-4.5-1.fc20.x86_64
Version of BIND: bind-9.9.4-18.P2.fc20.x86_64
Distribution and version (i.e. including updates): Fedora 20 container image
Architecture: x86_64
Do you use bind-dyndb-ldap as part of FreeIPA installation? yes
Include dynamic-db section from configuration file /etc/named.conf:
dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket"; arg "base cn=dns, dc=example,dc=test"; arg "fake_mname ipa.example.test."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/ipa.example.test"; arg "serial_autoincrement yes"; };
Do you have some other text based or DLZ zones configured? No.
Do you have some global forwarders configured in BIND configuration file? (Statements forward and forwarders.) Yes.
Do you have some settings in global configuration object in LDAP? Please export configuration object to LDIF and attach it to the bug report. N/A
Thank you for the bug report. Unfortunatelly this is generally not fixable without support for LDAP transactions in the directory server. DNS update should be atomic ([2136 section 3.7]]([http://tools.ietf.org/html/rfc2136|RFC)) but currently there is no way to do that.
Related 389 DS ticket: https://fedorahosted.org/389/ticket/581
My hope was that certain operations in certain sequences sent through nsupdate could be put on hold and converted to other ones -- for example, delete A + add A 10.11.12.13 could be internally changed to add A 10.11.12.13 and then delete anything which is not 10.11.12.13.
Another possibility would be to notify bind to reload information only at the end of the nsupdate sequence, not after every change.
(Of course, I have no idea if these are remotely possible from technical point of view, just putting in some thoughts.)
The problem is that this coalescence of mod operations gives you nothing when you modify more than 1 name because these are distinct LDAP objects. Also, every modification to DNS database (I mean the in-memory database used by BIND) has to be accompanied with SOA serial number bump and this is almost always separate LDAP object (unless you modify zone apex).
We certainly can try various tricks to cover specific cases (like records for single owner name) but all these 'tricks' will raise likelihood that LDAP and DNS database will end out of sync and at the same time no number of tricks can cover case where more than 1 LDAP object was modified.
Having said that, I would rather invest time in LDAP transactions and proper fix instead of adding layers of hacks/"newspaper" to cover the underlying deficiency.
Fix is going to wait for DS ticket https://fedorahosted.org/389/ticket/581
Metadata Update from @adelton: - Issue assigned to someone - Issue set to the milestone: The Backlog
Login to comment on this ticket.