freeipa

Clone
Source Code
GIT

#8327 named customization file ipa-ext.conf breaks bind
Closed: duplicate 3 years ago by cheimes. Opened 3 years ago by dcode.

Closed: duplicate
Reopen Issue

Issue

When trying configure recursion for trusted networks, named-pkcs11.service fails since the IPA customization config overrides options in the named.conf.

Steps to Reproduce

  1. Run freeipa-container with Fedora 32 (latest tag, uses BIND 9.11.18-RedHat-9.11.18-1.fc32) for install with --setup-dns
  2. Map customization file into container (e.g. -v /etc/named/ipa-ext.conf:/etc/named/ipa-ext.conf:ro (see below)
  3. Run the container to serve DNS, but named-pkcs11.service fails

Actual behavior

Named fails to start due to the ipa-ext.conf file redefining options, which seemingly isn't supported.

Journal log:

May 14 22:12:05 b4e90ca1bf14 systemd[1]: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11...
May 14 22:12:05 b4e90ca1bf14 bash[309]: /data/etc/named/ipa-ext.conf:6: 'options' redefined near 'options'
May 14 22:12:05 b4e90ca1bf14 systemd[1]: named-pkcs11.service: Control process exited, code=exited, status=1/FA
ILURE
May 14 22:12:05 b4e90ca1bf14 systemd[1]: named-pkcs11.service: Failed with result 'exit-code'.
May 14 22:12:05 b4e90ca1bf14 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#1

Expected behavior

I expected the provided example to just work and I would be able to allow specified networks to make recursive queries.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

freeipa-server-4.8.6-1.fc32.x86_64
freeipa-client-4.8.6-1.fc32.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.3.7-1.fc32.x86_64
pki-ca-10.8.3-1.fc32.noarch
krb5-server-1.18-1.fc32.x86_64

$ sudo podman images

REPOSITORY                         TAG      IMAGE ID       CREATED       SIZE
docker.io/freeipa/freeipa-server   latest   2bedea2a6293   10 days ago   812 MB

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

Here is my ipa-ext.conf file. This is the file that is distributed, removing comments and adding a single CIDR range.

acl "trusted_network" {
  localnets;
  localhost;
  192.168.1.0/24;
};
options {
  allow-recursion {trusted_network;};
  allow-query-cache {trusted_network;};
};

Thanks for the report. This is a duplicate of https://pagure.io/freeipa/issue/8287 . We already know about the issue and there is a fix in progress.

Metadata Update from @cheimes:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)
3 years ago

PS: This is an excellent bug report and contains all required information. I have closed your bug as duplicate because we are already using the other bug ID to work on a fix.

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.