New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect handling of reverse IPv6 update results in update failure #6956
Labels
Comments
thalman
added a commit
to thalman/sssd
that referenced
this issue
Sep 26, 2023
DNS server does not allow updates for different zones in one single step. Those updates must be sent separately. It is complicated and in some cases impossible to detect that PTR updates does not fit into one zone because it often depends on DNS server configuration. With this patch PTR record updates are always sent separately. Resolves: SSSD#6956
thalman
added a commit
to thalman/sssd
that referenced
this issue
Sep 26, 2023
DNS server does not allow updates for different zones in one single step. Those updates must be sent separately. It is complicated and in some cases impossible to detect that PTR updates does not fit into one zone because it often depends on DNS server configuration. With this patch PTR record updates are always sent separately. Resolves: SSSD#6956
pbrezina
pushed a commit
that referenced
this issue
Oct 18, 2023
DNS server does not allow updates for different zones in one single step. Those updates must be sent separately. It is complicated and in some cases impossible to detect that PTR updates does not fit into one zone because it often depends on DNS server configuration. With this patch PTR record updates are always sent separately. Resolves: #6956 Reviewed-by: Dan Lavu <dlavu@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit f0bba9d)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is cloned from: https://issues.redhat.com/browse/RHEL-4146
What were you trying to do that didn't work?
I've enabled dyndns_update_ptr in IPA domain. However I noticed that reverse is either not updated or only one address is updated, the other is not.
Please provide the package NVR for which bug is seen:
sssd-2.8.2-3.el9_2.alma.x86_64
sssd-ipa-2.8.2-3.el9_2.alma.x86_64
How reproducible:
Always (even by hand, outside sssd, see below).
Steps to reproduce
Enable dyndns_update_ptr in sssd IPA domain and configure whatever is necessary for updates to work (DNS zone, kerberos and so on).
Make sure the interface towards IPA server has at least TWO IPv6 addresses, in DIFFERENT zones.
Clear the record for the client from DNS.
Restart sssd.
See the error in /var/log/sssd_.log about failed DNS update:
[nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
[be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed
Expected results
The update is performed.
Actual results
The update failed as shown above.
Additional information
As seen in version information - this was found on AlmaLinux 9.2 but is very easy to reproduce with nsupdate.
The log reveals the following script used with nsupdate:
The problem with that is that it packs 4 updates (2 deletes & 2 additions for 2 names) destined for two distinct DNS zones into single update message. My understanding is that this is not supported especially that they can be on distinct nameservers (incidentally they are not).
Splitting the above script between two reverse zones allows update to proceed.
I believe each reverse update should be handled by separate message unless all addresses can be proven to reside in single DNS zone.
The text was updated successfully, but these errors were encountered: