#6062 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain
Closed: Fixed None Opened 4 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1354441

Description of problem: named-pkcs11[16354]: dns_rdatatype_fromtext() failed
for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type

Version-Release number of selected component (if applicable):
ipa-server-dns-4.4.0-1.el7.noarch
ipa-server-4.4.0-1.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Install IPA server
2. Add forwardzone for parent domain
ipa dnsforwardzone-add pne.qe --forwarder=IP-address --forward-policy=only

3. Add forwardzone for child domain
ipa dnsforwardzone-add chd.pne.qe --forwarder=IP-address --forward-policy=only

4. Check message displayed on the console.

Actual results:

[root@server samba]# ipa dnsforwardzone-add chd.pne.qe --forwarder=10.65.210.99
--forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS check for domain chd.pne.qe. failed: All nameservers failed to
answer the query chd.pne.qe. IN SOA: Server 127.0.0.1 UDP port 53 anwered The
DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered
The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS
operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation
timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL.

[root@server samba]# systemctl status named-pkcs11.service -l
? named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native
PKCS#11
   Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled;
vendor preset: disabled)
   Active: active (running) since Mon 2016-07-11 12:38:30 IST; 2h 28min ago
 Main PID: 16354 (named-pkcs11)
   CGroup: /system.slice/named-pkcs11.service
           ??16354 /usr/sbin/named-pkcs11 -u named

Jul 11 12:42:36 server.testrelm.test named-pkcs11[16354]:
dns_rdatatype_fromtext() failed for attribute
'idnsTemplateAttribute;cnamerecord': unknown class/type
Jul 11 12:42:36 server.testrelm.test named-pkcs11[16354]:
dns_rdatatype_fromtext() failed for attribute
'idnsTemplateAttribute;cnamerecord': unknown class/type

Expected results:
This should be working exactly as in RHEL7.2 i.e the forwardzone policy should
get added with the ip-address for the child/tree domains and be listed in ipa
dnsforwardzone-find command for the parent domain which is not been done right
now.

Additional info:

Interestingly, I'm unable to reproduce this on clean install. If you happen to find a reliable reproducer please reopen the bug. Thank you!

Okay, I was able to reproduce this problem using two independent IPA DNS servers:

Assume that example.com. is existing DNS domain hosted on server "srv1":
srv1$ ipa dnsforwardzone-add f.example.com. --forwarder=192.0.2.1
srv1$ ipa dnsrecord-add example.com. f --ns-rec=$(hostname).

Forwarding to IP address 192.0.2.1 will always fail so any query for the sub-domain f.example.com. will always return an error (SERVFAIL or a timeout).

Now we can try to add the same sub-domain as forward zone to second machine, "srv2". For this to work, the srv2 machine needs to see proper DNS delegation of example.com. domain to machine srv1. As a quick hack we can point global forwarder on srv2 to srv1.
srv2$ ipa dnsforwardzone-add f.example.com. --forwarder=192.0.2.123

This will error out:
DNS check for domain f.dom-058-218.abc.idm.lab.eng.brq.redhat.com. failed: All nameservers failed to answer the query f.example.com. IN SOA: Server 127.0.0.1 UDP port 53 anwered SERVFAIL.

master:

  • b73ef3d DNS: allow to add forward zone to already broken sub-domain

Metadata Update from @pvoborni:
- Issue assigned to pspacek
- Issue set to the milestone: FreeIPA 4.4.1

4 years ago

Login to comment on this ticket.

Metadata