Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect handling of reverse IPv6 update results in update failure #6956

Closed
thalman opened this issue Sep 26, 2023 · 1 comment
Closed

Incorrect handling of reverse IPv6 update results in update failure #6956

thalman opened this issue Sep 26, 2023 · 1 comment
Labels
Closed: Fixed Issue was closed as fixed. Future work

Comments

@thalman
Copy link
Contributor

thalman commented Sep 26, 2023

This issue is cloned from: https://issues.redhat.com/browse/RHEL-4146

What were you trying to do that didn't work?

I've enabled dyndns_update_ptr in IPA domain. However I noticed that reverse is either not updated or only one address is updated, the other is not.
Please provide the package NVR for which bug is seen:

sssd-2.8.2-3.el9_2.alma.x86_64
sssd-ipa-2.8.2-3.el9_2.alma.x86_64

How reproducible:

Always (even by hand, outside sssd, see below).
Steps to reproduce

  • Enable dyndns_update_ptr in sssd IPA domain and configure whatever is necessary for updates to work (DNS zone, kerberos and so on).

  • Make sure the interface towards IPA server has at least TWO IPv6 addresses, in DIFFERENT zones.

  • Clear the record for the client from DNS.

  • Restart sssd.

  • See the error in /var/log/sssd_.log about failed DNS update:

    [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
    [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed

Expected results

The update is performed.

Actual results

The update failed as shown above.

Additional information

As seen in version information - this was found on AlmaLinux 9.2 but is very easy to reproduce with nsupdate.

The log reveals the following script used with nsupdate:

update delete 204.48.168.192.in-addr.arpa. in PTR
update add 204.48.168.192.in-addr.arpa. 1200 in PTR vesemir.jot23.net. 
send 
update delete f.2.8.e.1.2.3.6.5.f.e.2.b.c.4.9.0.0.0.3.1.9.9.1.5.0.0.a.6.0.a.2.ip6.arpa. in PTR 
update add f.2.8.e.1.2.3.6.5.f.e.2.b.c.4.9.0.0.0.3.1.9.9.1.5.0.0.a.6.0.a.2.ip6.arpa. 1200 in PTR vesemir.jot23.net. 
update delete c.3.9.1.a.8.e.a.c.c.a.3.1.2.5.8.0.0.0.3.1.a.e.2.f.e.d.f.d.d.d.f.ip6.arpa. in PTR 
update add c.3.9.1.a.8.e.a.c.c.a.3.1.2.5.8.0.0.0.3.1.a.e.2.f.e.d.f.d.d.d.f.ip6.arpa. 1200 in PTR vesemir.jot23.net. 
send

The problem with that is that it packs 4 updates (2 deletes & 2 additions for 2 names) destined for two distinct DNS zones into single update message. My understanding is that this is not supported especially that they can be on distinct nameservers (incidentally they are not).

Splitting the above script between two reverse zones allows update to proceed.

I believe each reverse update should be handled by separate message unless all addresses can be proven to reside in single DNS zone.
thalman added a commit to thalman/sssd that referenced this issue Sep 26, 2023
@thalman
dyndns: PTR record updates separetely
291f489 
DNS server does not allow updates for different zones in one
single step. Those updates must be sent separately.

It is complicated and in some cases impossible to detect that
PTR updates does not fit into one zone because it often depends
on DNS server configuration.

With this patch PTR record updates are always sent separately.

Resolves: SSSD#6956
@thalman thalman mentioned this issue Sep 26, 2023
Closed
thalman added a commit to thalman/sssd that referenced this issue Sep 26, 2023
@thalman
dyndns: PTR record updates separately
44a147a 
DNS server does not allow updates for different zones in one
single step. Those updates must be sent separately.

It is complicated and in some cases impossible to detect that
PTR updates does not fit into one zone because it often depends
on DNS server configuration.

With this patch PTR record updates are always sent separately.

Resolves: SSSD#6956
pbrezina pushed a commit that referenced this issue Oct 18, 2023
@thalman @pbrezina
dyndns: PTR record updates separately
a48c744 
DNS server does not allow updates for different zones in one
single step. Those updates must be sent separately.

It is complicated and in some cases impossible to detect that
PTR updates does not fit into one zone because it often depends
on DNS server configuration.

With this patch PTR record updates are always sent separately.

Resolves: #6956

Reviewed-by: Dan Lavu <dlavu@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit f0bba9d)
@pbrezina
Copy link
Member

Pushed PR: #6957

  • master
    • f0bba9d - dyndns: PTR record updates separately
  • sssd-2-9
    • a48c744 - dyndns: PTR record updates separately

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label Oct 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Closed: Fixed Issue was closed as fixed. Future work
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

dyndns: PTR record updates separately thalman/sssd
3 participants
@thalman @andreboscatto @pbrezina