Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1353940 - Creation of new DNS zone without A records fails with "zone example.com/IN: not loaded due to errors"
Summary: Creation of new DNS zone without A records fails with "zone example.com/IN: n...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-08 13:22 UTC by Matt Smith
Modified: 2018-06-25 08:44 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-22 17:49:54 UTC


Attachments (Terms of Use)

Description Matt Smith 2016-07-08 13:22:11 UTC
Description of problem:
As posted on idm-tech 2016-07-08:

Brand new RHEL 7.2 IdM install for the domain ipa.example.com.  I just added a new DNS zone for "example.com" via the Web UI, which automatically creates the "@" NS record and the "_kerberos" TXT record., but neither is resolvable via 'dig' from the command line.  Running 'rndc reload' and watching the logs, I see the following:
"""
zone example.com/IN: not loaded due to errors
...
zone example.com/IN: NS 'idm-1.ipa.example.com' has no address records (A or AAAA)
"""

Once I manually create an A record (glue record) for "idm-1.ipa" in the "example.com" zone, everything works as expected.  But there was no indication that this is a necessary step.

Version-Release number of selected component (if applicable):
RHEL 7.2

How reproducible:
100% Repeatable

Steps to Reproduce:
1. Install new IPA environment ipa.example.com
2. Create new DNS zone example.com
3. dig -tNS example.com

Actual results:
dig cannot resolve the NS record for example.com, for two reasons:  there is no glue record to direct to the child domain where the ns server lives, and the zone will not load until an A record is included.

Expected results:
Server should be able to properly return address of NS server for example.com

Additional info:

Comment 2 Petr Spacek 2016-07-11 10:49:52 UTC
Fixing this will require significant changes in DNS plugin so I'm proposing to do this along with integration work for external DNS - in some future release.

Comment 3 Petr Vobornik 2016-07-12 16:08:03 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6066

Comment 6 Petr Vobornik 2018-05-10 13:46:33 UTC
This was fixed upstream in Dec 2015 in 6c107d819c557d32e90bbbd1ab4d60d8b59006db so it should already be fixed in 7.5 build.

Comment 8 Xiyang Dong 2018-06-10 16:40:39 UTC
(In reply to Petr Vobornik from comment #6)
> This was fixed upstream in Dec 2015 in
> 6c107d819c557d32e90bbbd1ab4d60d8b59006db so it should already be fixed in
> 7.5 build.

What version specifically? I am unable to verify the fix on 7.5.2:

# rpm -qa ipa-server bind bind-dyndb-ldap
bind-9.9.4-61.el7.x86_64
ipa-server-4.5.4-10.el7_5.2.x86_64
bind-dyndb-ldap-11.1-4.el7.x86_64

# /usr/sbin/ipa-server-install --setup-dns  --auto-forwarders --auto-reverse --hostname=host-8-241-13.ipa.testrelm.test -r IPA.TESTRELM.TEST -n ipa.testrelm.test -p Secret123 -a Secret123 --allow-zone-overlap --ip-address=172.16.169.25 -UThe log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Warning: skipping DNS resolution of host host-8-241-13.ipa.testrelm.test
Checking DNS domain ipa.testrelm.test., please wait ...
Checking DNS forwarders, please wait ...

The IPA Master Server will be configured with:
Hostname:       host-8-241-13.ipa.testrelm.test
IP address(es): 172.16.169.25
Domain name:    ipa.testrelm.test
Realm name:     IPA.TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       172.16.169.3, 172.16.169.2, 172.16.169.4
Forward policy:   only
Reverse zone(s):  No reverse zone

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
.
.
.
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

# kinit admin
Password for admin@IPA.TESTRELM.TEST:
# ipa dnszone-add testrelm.test
  Zone name: testrelm.test.
  Active zone: TRUE
  Authoritative nameserver: host-8-241-13.ipa.testrelm.test.
  Administrator e-mail address: hostmaster
  SOA serial: 1528648643
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant IPA.TESTRELM.TEST krb5-self * A; grant IPA.TESTRELM.TEST krb5-self * AAAA; grant IPA.TESTRELM.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
# dig -t NS testrelm.test

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t NS testrelm.test
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40211
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testrelm.test.			IN	NS

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 10 12:37:27 EDT 2018
;; MSG SIZE  rcvd: 42
# ipa dnsrecord-add testrelm.test host-8-241-13.ipa --a-rec=172.16.169.25
  Record name: host-8-241-13.ipa
  A record: 172.16.169.25
# dig -t NS testrelm.test

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t NS testrelm.test
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5821
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testrelm.test.			IN	NS

;; ANSWER SECTION:
testrelm.test.		86400	IN	NS	host-8-241-13.ipa.testrelm.test.

;; ADDITIONAL SECTION:
host-8-241-13.ipa.testrelm.test. 1200 IN A	172.16.169.25

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 10 12:38:25 EDT 2018
;; MSG SIZE  rcvd: 90


I will reverify when 7.6 rhel builds are available next week.

Comment 12 Petr Vobornik 2018-06-22 17:11:08 UTC
Ah, I see I may have partly incorrectly moved this as fixed because when one adds a new zone to DNS in IPA, NS record points to IPA A record. 

The issue is that when A records doesn't exist. IPA automatically adds A records for masters, clients, replicas when a zone has it enabled.

The problem here is that the A record is in zone not controlled by IPA and then it depends which NS updates are enabled. 

IdM documentation says that this is one of the things to configure in outside DNS systems when configuring IPA. 

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs

Comment 14 Xiyang Dong 2018-06-22 17:49:54 UTC
Thanks Petr and Flo. Comment 12 does make sense and I would agree to close this bug as WON'T FIX for now.

Comment 15 Florence Blanc-Renaud 2018-06-25 07:26:17 UTC
Removing the 'Fixed in version:' value


Note You need to log in before you can comment on or make changes to this bug.