After creating a asfdb record with ipa dnsrecord-add, the record does not seem to be resolvable by dig.
;; QUESTION SECTION: ;afsdb.newzone. IN AFSDB
https://bugzilla.redhat.com/show_bug.cgi?id=688765 [[BR]] https://bugzilla.redhat.com/show_bug.cgi?id=750947
Invalid syntax of AFSDB record was used. RFC 1183 states that AFSDB has the following format:
<owner> <ttl> <class> AFSDB <subtype> <hostname>
<subtype> field in AFSDB record was mised. When I added the <subtype> field, the record is correctly resolvable by dig:
$ ipa dnsrecord-add example.com afsdbrec --afsdb-rec="0 interesting.zone.com." Record name: afsdbrec AFSDB record: 0 interesting.zone.com. # dig -t AFSDB afsdbrec.example.com ; <<>> DiG 9.7.3-RedHat-9.7.3-1.el6 <<>> -t AFSDB afsdbrec.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30727 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;afsdbrec.example.com. IN AFSDB ;; ANSWER SECTION: afsdbrec.example.com. 86400 IN AFSDB 0 interesting.zone.com. ;; AUTHORITY SECTION: example.com. 86400 IN NS vm-111.idm.lab.bos.redhat.com. ;; ADDITIONAL SECTION: vm-111.idm.lab.bos.redhat.com. 86400 IN A 10.16.78.111 ;; Query time: 2 msec ;; SERVER: 10.16.78.111#53(10.16.78.111) ;; WHEN: Mon Mar 21 06:11:41 2011 ;; MSG SIZE rcvd: 130
Closing the ticket as invalid.
Still waiting for review, pushing to October sprint.
Moving the ticket to the next month iteration.
There was an interesting comment in https://bugzilla.redhat.com/show_bug.cgi?id=750947:
Adam Tkac 2011-11-04 05:09:58 EDT (In reply to comment #4) > That's a good question. > > Adam, do you think that we could modify bind-dyndb-ldap to ignore the invalid > DNS record instead of breaking the whole zone? Is it a good idea? It should be possible to ignore invalid record with warning. However I'm not sure this is the right thing. When user tries to add a bad record, I think he expects immediate error message, not run-time error message from named in /var/log/messages... Currently I see two correct ways how to deal with this: 1. don't modify records directly in LDAP, use nsupdate utility instead of this. This way you can catch bad records early (named validates each DDNS update sent via nsupdate). Btw I think this is the right way if I think about serving of DNSSEC-signed zones by IPA. If you modify records in LDAP, you must also create/modify it's signatures. BIND can do this for us so why not to use it... 2. implement some kind of checking in the ipa utility. In my opinion this is more painful way than the "1.", especially when thing about DNSSEC because you will have to compute & create signatures.
master: efc3e2c
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 Core Effort - 2011/11
Login to comment on this ticket.