freeipa

Clone
Source Code
GIT

#3340 ipa-replica-install fails to add idnssoaserial for a new zone
Closed: Fixed None Opened 11 years ago by rcritten.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=894131 (Red Hat Enterprise Linux 6)

Description of problem:

It looks like ipa-replica-install doesn't always properly add idnssoaserial for
new entries.  From testing, I'm seeing a zone get added but it's missing that
data.  At least that's not getting replicate back to the master.

In order to test in my isolated environment, I have to delete the existing
reverse zone because the master and replica are on same virtual network.  And
in test scripts, I can't currently guarantee servers will be on different
networks, so that does the same.

After initial Master install, I see this:

[root@rhel6-1 shared]# ipa dnszone-show 122.168.192.in-addr.arpa.
  Zone name: 122.168.192.in-addr.arpa.
  Authoritative nameserver: rhel6-1.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA serial: 1357837632
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

Afterward ipa dnszone-del and ipa-replica-install, I see this:

[root@rhel6-1 log]# ipa dnszone-find
  Zone name: 122.168.192.in-addr.arpa.
  Authoritative nameserver: rhel6-2.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;


No "SOA serial" option there.  Then, if I try to re-run ipa-replica-prepare,
that's when I see errors that led me here.


Version-Release number of selected component (if applicable):


How reproducible:
always (at least with ipa-replica-install options listed):

Steps to Reproduce:

On Master:
1. setup IPA Master server
2. ipa dnszone-del <reverse zone for replica if it exists>
3. ipa-replica-prepare (with no --ip-address option)

On Replica:
4. sftp replica info gpg file
5. ipa-replica-install -U --setup-dns --no-forwarders -w $ADMINPW -p $ADMINPW
/dev/shm/replica-info-$s_short.$DOMAIN.gpg

Actual results:
ipa dnszone-show <reverse zone for replica>
does not show SOA serial value.

However, looks like it was created with one:

log shows that it should have been added with the the idnssoaserial value
though:

2013-01-10T18:42:51Z DEBUG   [2/8]: setting up reverse zone
2013-01-10T18:42:51Z DEBUG raw: dnszone_add(u'122.168.192.in-addr.arpa.',
idnssoamname=u'rhel6-2.testre
lm.com.', idnssoarname=u'hostmaster.testrelm.com', idnsupdatepolicy=u'grant
TESTRELM.COM krb5-subdomain
 122.168.192.in-addr.arpa. PTR;', idnsallowdynupdate=True,
idnsallowquery=u'any', idnsallowtransfer=u'n
one', force=True, ip_address=None)
2013-01-10T18:42:51Z DEBUG dnszone_add(u'122.168.192.in-addr.arpa.',
idnssoamname=u'rhel6-2.testrelm.co
m.', idnssoarname=u'hostmaster.testrelm.com.', idnssoaserial=1357843371,
idnssoarefresh=3600, idnssoare
try=900, idnssoaexpire=1209600, idnssoaminimum=3600, idnsupdatepolicy=u'grant
TESTRELM.COM krb5-subdoma
in 122.168.192.in-addr.arpa. PTR;', idnsallowdynupdate=True,
idnsallowquery=u'any;', idnsallowtransfer=
u'none;', force=True, ip_address=None, all=False, raw=False)
2013-01-10T18:42:51Z DEBUG raw: dnsrecord_add(u'122.168.192.in-addr.arpa.',
u'@', nsrecord=u'rhel6-2.te
strelm.com.', force=True)
2013-01-10T18:42:51Z DEBUG dnsrecord_add(u'122.168.192.in-addr.arpa.', u'@',
a_extra_create_reverse=Fal
se, aaaa_extra_create_reverse=False, nsrecord=(u'rhel6-2.testrelm.com.',),
force=True, structured=False
, all=False, raw=False)
2013-01-10T18:42:51Z DEBUG   duration: 0 seconds

And I can see it in ldap on replica:

[root@rhel6-2 shm]# ldapsearch -h $(hostname) -xLLL -D "cn=Directory Manager"
-w $ADMINPW -b dc=testrelm,dc=com idnsname=122.168.192.in-addr.arpa.
dn: idnsname=122.168.192.in-addr.arpa.,cn=dns,dc=testrelm,dc=com
idnsSOAminimum: 3600
idnsSOAexpire: 1209600
idnsSOAretry: 900
idnsSOArefresh: 3600
idnsSOAserial: 1357843373
idnsZoneActive: TRUE
nSRecord: rhel6-2.testrelm.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsUpdatePolicy: grant TESTRELM.COM krb5-subdomain 122.168.192.in-addr.arpa.
 PTR;
idnsAllowQuery: any;
idnsName: 122.168.192.in-addr.arpa.
idnsSOAmName: rhel6-2.testrelm.com.
idnsSOArName: hostmaster.testrelm.com.
idnsAllowDynUpdate: TRUE

but, I cannot see it in ldap on master:
[root@rhel6-1 log]# ldapsearch -h $(hostname) -xLLL -D "cn=Directory Manager"
-w $ADMINPW -b dc=testrelm,dc=com idnsname=122.168.192.in-addr.arpa.
dn: idnsname=122.168.192.in-addr.arpa.,cn=dns,dc=testrelm,dc=com
idnsSOAminimum: 3600
idnsSOAexpire: 1209600
idnsSOAretry: 900
idnsSOArefresh: 3600
idnsZoneActive: TRUE
nSRecord: rhel6-2.testrelm.com.
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsAllowTransfer: none;
idnsUpdatePolicy: grant TESTRELM.COM krb5-subdomain 122.168.192.in-addr.arpa.
 PTR;
idnsAllowQuery: any;
idnsName: 122.168.192.in-addr.arpa.
idnsSOAmName: rhel6-2.testrelm.com.
idnsSOArName: hostmaster.testrelm.com.
idnsAllowDynUpdate: TRUE

Also, I did confirm that I could reproduce it (at least with those
ipa-replica-install options.  So, I'll go ahead and open a bug now and we can
work from that I think.


Expected results:

idnssoaserial set properly and synced across all servers.

Additional info:

Long term fix for this problem should be this: https://fedorahosted.org/freeipa/ticket/3347

For the short term this is fixed in bind-dyndb-ldap 2.3

Metadata Update from @rcritten:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 3.0.3 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=894131
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.