#3681 [RFE] Check if IPA domain doesn't exist prior installation with --setup-dns
Closed: Fixed None Opened 5 years ago by pspacek.

Very often problem is that user installs IPA with integrated DNS under domain name which is already managed by another DNS server. This scenario creates split-brain problem and results in various odd problems with DNS resolution.

Server installer should check this condition and throw an error (or warning at least).

Typical situation

  • Company domain: example.com (domain is managed by AD or any other non-IPA DNS server)
  • IPA server name: ipa1.example.com
  • IPA default domain name: example.com
  • Result: Split-brain and broken DNS resolution.

Proposed check

Query NS records for IPA domain (example.com in the example above) and throw an error if any NS records exist and NS records do not point to the IPA server.

E.g. an error should be raised if following DNS record exists:
example.com 3600 IN NS ad1.example.com. (because ad1.example.com. != ipa1.example.com.)

The --force switch should allow to continue (for special cases, hidden DNS master?).

As Ana is moving out of the team, I am moving her unresolved tickets to free-to-take pool.

Moving to NEEDS_TRIAGE because this is one of most frequent problems faced by users.

We should add check to ipa-server-install which if domain is detected would produce a WARNING to the interactive wizard + yes/no question. The warning should be also in installation log.

This check is especially important when DNSSEC is in play as it could produce very confusing results otherwise.

I would like to propose this ticket for 'main' 4.2 milestone (i.e. the one with priority higher than 'Backlog').

Replying to [comment:8 pspacek]:

I would like to propose this ticket for 'main' 4.2 milestone (i.e. the one with priority higher than 'Backlog').

Is this change testable with the upstream tests? What would it take to implement upstream tests this and similar issues?

It is extremely easy if we assume that upstream tests are running in environment connected to the public Internet: We can use constant example.com. as domain name. It is (almost) guaranteed to exist so the check should always fail.

In other cases it should be also relatively easy, we just need to find an existing parent domain. E.g. we are testing IPA domain installation on a server with host name my.servers.redhat.com..

Now we can try to naively climb DNS tree up and search for DNS domains:

  • servers.redhat.com.
  • redhat.com.
  • com.

... and use a first domain which exists.

The (original) description for #4706 also suggested that the same check could be available for ipa dnszone-add situations, not just for the initial server installation/configuration.

During processing of remaining tickets in 4.2 Backlog, this ticket was found as suitable to be fixed in the nearest bugfixing branch - which is 4.2.x.

Where we are at it, it should be trivial to test existence of _kerberos._udp, _kerberos, _ldap._tcp and similar domain names under the new IPA domain. That should easily uncover that AD or other IPA already managed that particular domain.

FreeIPA 4.2.1 was released, moving to 4.2.x.


  • 6c107d8 dns: do not add (forward)zone if it is already resolvable.
  • 8d19da4 dns: Check if domain already exists.
  • 1534061 dns: Add --auto-reverse option.

4.3 was released, open new ticket for possible regressions.

Metadata Update from @pspacek:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.3

2 years ago

Login to comment on this ticket.