Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1403352
Prior to the release of BIND 9.11, Fedora and RHEL carried a downstream patch implementing a feature called 'dyndb' or 'dynamic-db'. For e.g., here's F25's patch: http://pkgs.fedoraproject.org/cgit/rpms/bind.git/tree/bind-9.10-dyndb.patch?h=f 25 FreeIPA sets up this feature (I don't know what it's for, or what it does, but I know we use it) when you do a default ipa-server-install deployment. In BIND 9.11, the feature was merged into upstream, but with significant changes. pspacek says "The API accepted upstream is totally incompatible with the old API we used". BIND 9.11 has landed in Fedora Rawhide and the downstream patch has been dropped, so Fedora Rawhide is now using "The API accepted upstream" rather than "the old API we used". However, freeipa doesn't appear to have been adapted to this. Our openQA test that just does a pretty default FreeIPA server deployment (via rolekit) fails: https://openqa.fedoraproject.org/tests/50976 if you check the logs (which can be downloaded at https://openqa.fedoraproject. org/tests/50976/file/role_deploy_domain_controller-var_log.tar.gz ), this is because (actually this log extract is from a couple of days ago, but it's the same failure): Dec 07 11:57:26 ipa001.domain.local systemd[1]: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11... Dec 07 11:57:26 ipa001.domain.local bash[9698]: /etc/named.conf:46: unknown option 'dynamic-db' Dec 07 11:57:26 ipa001.domain.local systemd[1]: named-pkcs11.service: Control process exited, code=exited status=1 As part of the changes to the feature when merged upstream, the config file directive name was changed from 'dynamic-db' to 'dyndb'. Apparently this isn't the only change, though. It sounds like ipa-server-install will need changing to make the named.conf modifications in the new format, and we will also need to migrate existing named.conf to the new format when BIND is upgraded from a < 9.11 build with the Fedora/RHEL downstream patches to >= 9.11 with the upstream implementation... Proposing as a Fedora 26 Alpha blocker, per criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - https://fedoraproject.org/wiki/Fedora_25_Alpha_Release_Criteria #Role_functional_requirements (I didn't copy the criteria for F26 yet) - this bug makes it impossible to deploy the domain controller role, which is a release-blocking role.
PR https://github.com/freeipa/freeipa/pull/351 fixes new IPA installations.
Existing IPA configurations should be fixed as a part of bind-dyndb-ldap update https://fedorahosted.org/bind-dyndb-ldap/ticket/169
master:
Metadata Update from @pvoborni: - Issue assigned to tkrizek - Issue set to the milestone: FreeIPA 4.5
Log in to comment on this ticket.