https://bugzilla.redhat.com/show_bug.cgi?id=804619 (Red Hat Enterprise Linux 6)
Description of problem: Zone serial number is not incremented after adding DNS record. (Same problem probably occurs with all DNS operations.) Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6.x86_64 bind-9.7.3-8.P3.el6.x86_64 bind-dyndb-ldap-0.2.0-7.el6.x86_64 How reproducible: Add any DNS record and watch DNS zone serial number. Steps to Reproduce: 1. ipa dnszone-show localnet 2. ipa dnsrecord-add localnet test3 --a-rec=1.2.3.4 3. ipa dnszone-show localnet Actual results: # ipa dnszone-show localnet Zone name: localnet Authoritative nameserver: el621.localnet. Administrator e-mail address: root.el621.localnet. SOA serial: 2012190301 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE # ipa dnsrecord-add localnet test3 --a-rec=1.2.3.4 Record name: test3 A record: 1.2.3.4 # ipa dnszone-show localnet Zone name: localnet Authoritative nameserver: el621.localnet. Administrator e-mail address: root.el621.localnet. SOA serial: 2012190301 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Expected results: "SOA serial" value was incremented. Additional info: BIND LDAP plugin only read value from LDAP. SOA serial # change has to be handled in UI (or via dirsrv plugin?).
This may need a DS plugin to be handled properly. Whoever takes this bug up please talk with me first.
The discussion about possible approaches for this issue is on freeipa-devel list in this thread:
http://www.redhat.com/archives/freeipa-devel/2012-April/msg00222.html
So far, this appears to be the target solution (excerpt from pspacek e-mail):
Each DNS server will maintain its own serial number value independently from other servers. Pros: Should be simpler to implement; no DS plugin required. Cons: Slave DNS servers cannot fall-back to other masters, because of SOA serial inconsistency. Very basic implementation: 1) Do not replicate idnsSoaSerial attribute 2) Use persistent search to watch for incoming changes 3) After each change increment "local" SOA serial number (and write it to LDAP - to survive DNS server restart)
Related to bind-dyndb-ldap ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/67
Moving to next month iteration.
bind-dyndb-ldap changes we depend on are not ready yet, moving to the Beta 2 milestone.
attachment freeipa-mkosek-281-enable-soa-serial-autoincrement.patch
Patch freeipa-mkosek-281-enable-soa-serial-autoincrement.patch sent for review
master: 9d69db8
IPA now supports all required configuration of named.conf and replication agreement. All that's left to close this ticket should be to just bump minimum bind-dyndb-ldap version in a spec file.
Installing ipa-server with "--no-serial-autoincrement" option still sets "arg "serial_autoincrement yes";" in /etc/named.conf.
Version: freeipa-server-2.99.0-0.20120713T1418Zgitc20d4c7.fc17.x86_64
Observed following behaviour with build
freeipa-server-2.99.0-0.20120713T1418Zgitc20d4c7.fc17.x86_64
Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named named service failed to start [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named.
Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files
Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1
[root@f17-ipa1 ~]# cat /etc/named.conf options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; forward first; forwarders { 10.14.63.12; }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-credential "DNS/f17-ipa1.testrelm.com"; tkey-domain "TESTRELM.COM";
};
/ If you want to enable debugging, eg. using the 'rndc trace' command, - By default, SELinux policy does not allow named to modify the /var/named directory, - so put the default debug log file in data/ : / logging { channel default_debug { file "data/named.run"; severity debug 10; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones";
dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket"; arg "base cn=dns, dc=testrelm,dc=com"; arg "fake_mname f17-ipa1.testrelm.com."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/f17-ipa1.testrelm.com"; arg "zone_refresh 0"; arg "psearch yes"; arg "serial_autoincrement yes"; }; [root@f17-ipa1 ~]#
shanks, pushed a fix under the one-liner rule. It was always being set to True:
master: 67dbde0
ksiddiqu, this isn't enough to go on and named not starting is not necessarily related to this patch.
Pushed patch that updates minimum_connections properly.
master: e578183
bind-dyndb-ldap with a support for serial_autoincrement has been released to rawhide - future F18.
master: 8c7556d
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 Beta 2
Login to comment on this ticket.