#9195 Hiding a server does not completely clean up DNS records
Closed: fixed a year ago by rcritten. Opened 2 years ago by rcritten.

Issue

With two IPA servers installed, one with only an IPv4 address and the other with both an IPv4 and IPv6 address.

dig -t A ipa-ca.example.test and dig -t AAAA ipa-ca.example.test will show the expected results.

If you run: ipa server-state --state hidden <dual IP host> then the IPv4 address is properly removed the the DNS A record but not the DNS AAAA record.

I think it's because the current code in dns_update_system_records does not remove entries but rewrites from what the current values are (hidden are excluded). Since in this case there are no IPv6 records nothing can be overwritten, leaving the value basically as an orphan.

It means that a hidden CA may still advertised for ipa-ca if it has the last IP record for a given type.


Metadata Update from @rcritten:
- Issue assigned to rcritten

a year ago

Testing was the most difficult part. In PR-CI i ran into two issues:

  1. The installer resolver was changed to use nss instead of DNS to find the host info. This was not returning IPv6 addresses. I confirmed this locally. So I'm proposing to revert that change.

  2. systemd-resolvd also would not return IPv6 addresses. Maybe it is it being too smart and somehow "knowing" what the local addresses are. I don't care. I nuked it for the test.

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2158775

a year ago

The test is for hidden replicas but it is the same principal for a deleted server

master:

  • c38546d Wipe the ipa-ca DNS record when updating system records

ipa-4-10:

  • 4e0ad96 Wipe the ipa-ca DNS record when updating system records

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata