New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wipe the ipa-ca DNS record when updating system records #6358
Conversation
385c28b
to
37ee85b
Compare
461cb38
to
6a1e69b
Compare
I have lint fixes in my local tree. Waiting on CI to finish before pushing again. |
53b7de2
to
23c3d7c
Compare
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
23c3d7c
to
528dcca
Compare
rebase |
This issue has been automatically closed as stale it has not had recent activity. |
@rcritten, I'm really sorry, I will try to look at this PR next week unless somebody else would. |
I've checked locally the case described in the ticket. Proposed patch fixed the issue. |
The reproducer (test case) can be very tricky. |
|
Yeah, the DNS thing is mind boggling to me but then again I'm all thumbs when it comes to DNS. I can un-revert the patch but the last time I did that CI failed. When I reproduced it locally I didn't test an external site but it definitely wouldn't resolve ones added to IPA. |
Dropping the revert nss patch, let's see what happens. |
Right. So the nss lookup fails to find the newly added IPv6 address. Bug in bind? Some cache somewhere? |
e902f52
to
f96ca9e
Compare
So IPv6 does work against google.com but not against the local DNS server when using nss. dig works fine. At this point in the log the temporary IPv6 address has been added and it's resolvable using dig: RUN ['dig', '+short', '-t', 'A', 'replica0.ipa.test.'] RUN ['dig', '+short', '-t', 'AAAA', 'replica0.ipa.test.'] Google lookup works: RUN ['python3', '-c', 'from ipaserver.install.installutils import resolve_rrsets_nss; print(resolve_rrsets_nss("google.com"))'] But nss lookup only returns A records: RUN ['python3', '-c', 'from ipaserver.install.installutils import resolve_rrsets_nss; print(resolve_rrsets_nss("replica0.ipa.test"))'] |
When https://linux.die.net/man/1/dig:
In this test run this config points
That dns server is
That's expected result. When
Note: maybe it's good idea to collect that resolved config file in tests. When
So, in any case the query :
goes to local
Note: actually only The source of answer for querying "replica0.ipa.test" is
That's expected result. |
I dropped systemd-resolved for this test because it too was doing odd things, probably also related to /etc/hosts. I don't believe we've ever had the requirement that all possible hostname/IPs be in /etc/hosts. |
Another point. The new IP is added for the replica and the lookups done on the master. The whole point is to test that dns-update-system-records reflects the correct set of DNS records so relying on nss in any way seems wrong. The purpose of the patch switching to nss was to include hostnames in the ipa-ca DNS name that are not resolvable in DNS. I fail to see the use-case for adding DNS records for non-resolvable hosts except for small, isolated installations. |
I dropped the test altogether. It won't work in a real IPv6 environment. The "host" ip contains only the IPv4 address so we have nothing to compare it against. I think this is doable eventually but I manual testing is sufficient for now. |
2e7167a
to
337e96c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. @rcritten could you remove the temp_commit?
If a server with a CA has been marked as hidden and contains the last A or AAAA address then that address would remain in the ipa-ca entry. This is because update-dns-system-records did not delete values, it just re-computed them. So if no A or AAAA records were found then the existing value was left. Fixes: https://pagure.io/freeipa/issue/9195 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
tests are green, adding ack |
master:
|
Wipe the ipa-ca DNS record when updating system records
If a server with a CA has been marked as hidden and
contains the last A or AAAA address then that address
would remain in the ipa-ca entry.
This is because update-dns-system-records did not delete
values, it just re-computed them. So if no A or AAAA
records were found then the existing value was left.
Fixes: https://pagure.io/freeipa/issue/9195
Signed-off-by: Rob Crittenden rcritten@redhat.com