#3829 SSSD does not batch DDNS update requests
Opened a month ago by chrismaz. Modified 19 hours ago

During an investigation of DDNS registration failures we found that SSSD includes a 'send' command in between each record modification and does not batch DDNS update requests. This is problematic in complex AD environments because those requests may not be processed by the same server. By suppressing the 'send' commands SSSD gives to nsupdate we can force the entire delete/add request into a single packet which is always processed by a single server. Packet captures from Windows devices show that their delete and update requests are always sent within a single packet. If these requests are sent as separate sessions/packets as with SSSD then we may see a situation where an upstream service successfully processes the delete but drops the add request resulting in no resolvable record.

The gist is that nsupdate should receive this from SSSD when updating A/AAAA records:

update delete A ...
update delete AAAA ...
update add ...

Instead of:

update delete A ...
update delete AAAA ...
update add ...

Similar changes would be needed for PTRs as well.


This started as a private e-mail thread between the reporter and some current or previous SSSD developers. Since the little archeology exercise I did is not anything private, let me also paste it here.

We used to issue a single transaction (so, a single send) until commit

Its commit message says:
Separate transaction for A and AAAA addresses updates are important
because server might block updates for one of these families and thus
the update even for the non-blocked address family would unnecessarily

But I also don't like the additional churn this would take. We offer the
possibility to restrict the address family, so if you find out that DNS
updates are failing because the DNS server doesn't allow updating either
of the address families, you can configure that out.

Alternatively, we could use the per-family grouping as a fallback.

Embarrassingly enough it was me who reviewed a741d0c but I'm afraid I don't remember anything about that change in behaviour anymore. FWIW, the commit also links to a ticket which is referenced by https://docs.pagure.org/SSSD.sssd/design_pages/ddns_messages_update.html but I don't really see any explanation about this change either.

There was a valid reason we did the split-transaction, actually. In AD environments, when updating one address family is not permitted, the whole update would fail.

So I would prefer to make this configurable, so that if you need to do the update in a single transaction, you could select so in the config file.

And/or, if the DNS resolution is restricted to ipv4_only or ipv6_only, then we should only update that address family. I think we might already do that, but I'm not totally sure.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1

a month ago

Metadata Update from @thalman:
- Issue assigned to thalman

19 hours ago

Login to comment on this ticket.