On Fedora 33 systemd-resolved presents reverse record for host's IP address which makes ipa-server-install skip creation of reverse zone.
One forward zone in output
Forward and reverse zones in output
freeipa-server-4.9.1-1.fc33.x86_64
Detailed reproducer: On a new F33 machine with a DNS not serving reverse zone for machine's IP address:
$ hostnamectl set-hostname master.testrelm.test $ dnf install -y freeipa-server-dns --enablerepo=updates-testing $ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 $ cat /etc/resolv.conf # This file is managed by man:systemd-resolved(8). Do not edit. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search openstacklocal $ dig master.testrelm.test +short 192.168.121.198 $ dig -x 192.168.121.198 +short master.testrelm.test. master. master.local. $ ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n testrelm.test -U -r TESTRELM.TEST --auto-reverse ... Warning: skipping DNS resolution of host master.testrelm.test Checking DNS domain testrelm.test., please wait ... Invalid IP address fe80::c0f6:5ad9:824:ea1b for master.testrelm.test: cannot use link-local IP address fe80::c0f6:5ad9:824:ea1b Checking DNS forwarders, please wait ... Reverse record for IP address 192.168.121.198 already exists ... BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.121.1 Forward policy: only Reverse zone(s): No reverse zone Adding [192.168.121.198 master.testrelm.test] to your /etc/hosts file ... $ echo Secret123 | kinit admin $ ipa dnszone-find Zone name: testrelm.test. Active zone: TRUE Authoritative nameserver: master.testrelm.test. Administrator e-mail address: hostmaster.testrelm.test. SOA serial: 1612878349 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.TEST krb5-self * A; grant TESTRELM.TEST krb5-self * AAAA; grant TESTRELM.TEST krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 1 ----------------------------
Same script for F32 (it does not use systemd-resolved and reverse zone is created as expected):
$ hostnamectl set-hostname master.testrelm.test $ dnf install -y freeipa-server-dns --enablerepo=updates-testing $ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 $ cat /etc/resolv.conf ; Created by cloud-init on instance boot automatically, do not edit. ; # Generated by NetworkManager search openstacklocal nameserver 10.11.5.19 nameserver 10.5.30.45 nameserver 2620:52:0:aa0::dead:beef $ dig master.testrelm.test +short [nothing] $ dig +short -x <IP ADDRESS> [nothing] $ ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n testrelm.test -U -r TESTRELM.TEST --auto-reverse ... Warning: skipping DNS resolution of host master.testrelm.test Checking DNS domain testrelm.test., please wait ... Invalid IP address fe80::5054:ff:fe6d:6c50 for master.testrelm.test: cannot use link-local IP address fe80::5054:ff:fe6d:6c50 Checking DNS forwarders, please wait ... Checking DNS domain 121.168.192.in-addr.arpa., please wait ... Reverse zone 121.168.192.in-addr.arpa. will be created Using reverse zone(s) 121.168.192.in-addr.arpa. ... BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.121.1 Forward policy: only Reverse zone(s): 121.168.192.in-addr.arpa. ... $ echo Secret123 | kinit admin $ ipa dnszone-find Zone name: 121.168.192.in-addr.arpa. Active zone: TRUE Authoritative nameserver: master.testrelm.test. Administrator e-mail address: hostmaster.121.168.192.in-addr.arpa. SOA serial: 1612878810 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.TEST krb5-subdomain 121.168.192.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Zone name: testrelm.test. Active zone: TRUE Authoritative nameserver: master.testrelm.test. Administrator e-mail address: hostmaster.testrelm.test. SOA serial: 1612878840 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.TEST krb5-self * A; grant TESTRELM.TEST krb5-self * AAAA; grant TESTRELM.TEST krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 2 ----------------------------
According to [1]
systemd-resolved synthesizes DNS resource records (RRs) for the following cases: The local, configured hostname is resolved to all locally configured IP addresses ordered by their scope, or — if none are configured — the IPv4 address 127.0.0.2 (which is on the local loopback interface) and the IPv6 address ::1 (which is the local host). The mappings defined in /etc/hosts are resolved to their configured addresses and back, but they will not affect lookups for non-address types (like MX). Support for /etc/hosts may be disabled with ReadEtcHosts=no
systemd-resolved synthesizes DNS resource records (RRs) for the following cases:
As reproducer log shows, the reverse DNS record is created by resolved even without a corresponding line in /etc/hosts. [2] does not describe any options to disable this behaviour.
I suppose we should change the way installer detects presence of reverse record - maybe by directing request to the DNS forwarder.
[1] https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html [2] https://www.freedesktop.org/software/systemd/man/resolved.conf.html#
Metadata Update from @sorlov: - Issue tagged with: bug
Test failure can be seen in the job fedora-latest/test_installation_TestInstallWithCA_DNS3, in the test test_integration/test_installation.py::TestInstallWithCA_DNS3::test_number_of_zones: see PR #755 with the following logs and report:
fedora-latest/test_installation_TestInstallWithCA_DNS3
test_integration/test_installation.py::TestInstallWithCA_DNS3::test_number_of_zones
args = (<ipatests.test_integration.test_installation.TestInstallWithCA_DNS3 object at 0x7f3330afe430>,) master = <ipatests.pytest_ipa.integration.host.Host master.ipa.test (master)> def wrapped(*args): master = args[0].master create_broken_resolv_conf(master) try: > func(*args) test_integration/test_installation.py:54: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <ipatests.test_integration.test_installation.TestInstallWithCA_DNS3 object at 0x7f3330afe430> @server_install_setup def test_number_of_zones(self): """There should be two zones: one forward, one reverse""" self.create_pkcs12('ca1/server') self.prepare_cacert('ca1') self.install_server(extra_args=['--allow-zone-overlap']) result = self.master.run_command([ 'ipa', 'dnszone-find']) > assert "in-addr.arpa." in result.stdout_text E AssertionError: assert 'in-addr.arpa.' in ' Zone name: ipa.test.\n Active zone: TRUE\n Authoritative nameserver: master.ipa.test.\n Administrator e-mail add...;\n Allow transfer: none;\n----------------------------\nNumber of entries returned 1\n----------------------------\n' E + where ' Zone name: ipa.test.\n Active zone: TRUE\n Authoritative nameserver: master.ipa.test.\n Administrator e-mail add...;\n Allow transfer: none;\n----------------------------\nNumber of entries returned 1\n----------------------------\n' = <pytest_multihost.transport.SSHCommand object at 0x7f333098da00>.stdout_text test_integration/test_installation.py:574: AssertionError
Metadata Update from @frenaud: - Issue tagged with: test-failure
Test failure observed in [testing_master_pki] Nightly PR #762 report
Failure seen in [testing_ipa-4.9_latest] Nightly PR #771 , report
Failure Seen in [testing_master_pki] Nightly PR #793 , report
Failure seen in [testing_ipa-4.9_latest] Nightly PR #787 , report
Failure seen in [testing_master_pki] Nightly PR #812 report
Failure observed in [testing_ipa-4.9_latest] Nightly PR #806 , report
Failure observed in [testing_master_pki] Nightly PR #831 , report
Failure observed in [testing_ipa-4.9_latest] Nightly PR #823, logs
Failure observed in [testing_ipa-4.9_latest] Nightly PR #843 , report
failure observed in PR#879 - pki-fedora/test_installation_TestInstallWithCA_DNS3 , report
Test failure observed in testing_master_previous PR report
Test Failure observed in testing_master_previous PR Report
Failure observed in [testing_master_previous] Nightly PR #914 , report
Failure observed in testing_master_previous PR Report
Failure observed in [testing_master_previous] Nightly PR #945 , logs
Failure observed in test_master_previous PR Report
test_master_previous
Failure observed in [testing_master_previous] Nightly PR #961 , report
Failures observed in [testing_master_pki] Nightly PR #973 , report
Failure observed in testing_master_previous PR 964 Report
testing_master_previous
failure observed in testing_master_previous PR 979 Report
failure observed in testing_master_previous PR 997 Report
failres observed in testing_master_pki , report
failure observed in testing_master_previous PR 1027 Logs
failure observed in testing_master_previous PR 1057 Logs
Failure observed in testing_master_previous PR 1057 Logs
Failure observed in [testing_master_pki] PR 1080 , report
Failures observed in testing_master_previous PR 1072 Logs
There are four ways to maintain /etc/resolv.conf on a systemd-resolved system as explained in https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
The first two ways involve using 127.0.0.53 (resolved) which will resolve the system's IP address to the hostname (in about 1300ms), breaking reverse zone detection.
The third way involves linking /etc/resolv.conf to /run/systemd/resolve/resolv.conf which works at install time: this file is maintained by resolved and contains the upstream nameservers' IPs. However, since FreeIPA has a NetworkManager configuration file that injects 127.0.0.1 as a nameserver, systemd-resolved adds this entry to its list of upstream DNS nameservers' IP and the resulting /run/systemd/resolve/resolv.conf contains all entries, which is not what is desired.
The fourth way is essentially: "remove the symlink and maintain /etc/resolv.conf yourself".
I've found that combining #3 and #4 works well: copying the contents of the systemd-resolved resolv.conf containing the upstream DNS IPs into /etc/resolv.conf (instead of symlinking it) results in the install-time reverse zone detection working again, and the post-install resolv.conf contains "nameserver 127.0.0.1".
What to do at uninstall time, since the filestore does not maintain symlinks, is not decided yet. The current behavior reverts /etc/resolv.conf to the contents of /run/systemd/resolve/resolv.conf before FreeIPA installation which seems fine.
Metadata Update from @fcami: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5939/ - Issue assigned to fcami
Note that the test will not succeed in PR-CI until https://github.com/freeipa/freeipa-pr-ci/issues/437 is fulfilled.
failure observed in testing_master_previous PR Logs
From the systemd-devel mailing-list:
"""
Is there a way via the resolved configuration file to disable the automatic resolution of the hostname and the IP of the host?
There is no way to do this globally or for the DNS stub, currently. You could parse the upstream DNS servers from /run/systemd/resolve/resolv.conf and query those DNS servers directly. That file always contains a valid resolv.conf with all known upstream DNS servers and is updated instantly when DNS config changes.
You could also explicitly resolve via resolved (either via D-Bus, or varlink), where in very recent versions you can set a flag to disable such "synthetic" RRs. This is also exposed via "resolvectl query --synthesize=no …". """
This gives us a bit more possibilities: - switch the IPA server system to not use resolved ( https://pagure.io/freeipa/issue/8700#comment-745909 ) - use a dns.resolver.Resolver object configured to use /run/systemd/resolve/resolv.conf if that file exists only. This means using that in every place needed e.g. not only --auto-reverse, but also for each functionality that requires querying upstream DNS and where systemd-resolved could give an undesirable answer. - same as the second solution using resolved' dbus API
master:
ipa-4-9:
Apparently fixed by the latest systemd fixes: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/0ce093e6-49f7-11ec-9ecc-fa163e3ef39f/report.html
Metadata Update from @fcami: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to Previously, systemd-resolved presented reverse record for host's IP address which made ipa-server-install skip creation of reverse zone. The issue was fixed in systemd on Fedora 35 and is not a problem anymore. - Custom field knownissue adjusted to on
test failure seen in testing_master_latest PR 1734 Report
testing_master_latest
This is easily reproducible with Fedora 36 under libvirt.
Re-opening this as another failure is seen in testing_master_latest PR 1743 Report
Metadata Update from @sumedhs: - Custom field affects_doc adjusted to on - Issue status updated to: Open (was: Closed)
@rjeffman @sumedhs the issue is now tracked at https://pagure.io/freeipa/issue/9135, let's keep a single issue open. I'm closing this one.
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.