[Freeipa-devel] IPA server resolv.conf

Sumit Bose sbose at redhat.com
Mon Sep 17 10:34:35 UTC 2012 

On Mon, Sep 17, 2012 at 11:18:53AM +0200, Petr Spacek wrote:
> On 09/17/2012 09:15 AM, Martin Kosek wrote:
> >On 09/17/2012 09:06 AM, Petr Spacek wrote:
> >>Discussion about patch "Set master_kdc and dns_lookup_kdc to true)" reminds one
> >>related problem:
> >>
> >>Our server installer puts line "nameserver 127.0.0.1" to /etc/resolv.conf, but
> >>this file should contain all (or three nearest) DNS servers in IPA domain.
> >>
> >>As a result, IPA server will work even after local named crash (which is not so
> >>rare as I want :-().
> >>
> >>New ticket:
> >>https://fedorahosted.org/freeipa/ticket/3085
> >>
> >>Martin, what do you think?
> >>
> >>How we can update resolv.conf to reflect replica addition/deletion?
> >>
> >>Should it be done manually? E.g. ipa-replica-install script can print "don't
> >>forget to add this server to /etc/resolv.conf on other servers"?
> >>
> >>Petr^2 Spacek
> >>
> >
> >It would not be difficult to pull a list of IPA masters with DNS support during
> >ipa-{server,replica}-install and write more IPs to the resolv.conf. But I think
> >there may be an issue when somebody willingly stop a remote replica or
> >uninstall it. He would also need to remove it's IP from all resolv.confs in all
> >replicas...
> >
> >Btw. why would IPA server fail when a local named crashes? A record in
> >/etc/hosts we always add should still enable local IPA services to work or do I
> >miss something?
> 
> Well... try it :-D "service named stop"
> 
> I didn't examine details of this problem, but my guess is Kerberos
> and reverse DNS lookups. Also, you need to resolve neighbouring

at least reverse DNS lookups shouldn't be the case since 'rdns = false'
in krb5.conf.

bye,
Sumit

> replica IP and so on.
> 
> 
> Name servers listed in resolv.conf are tried in order, so 127.0.0.1
> should be on first place.
> 
> man resolv.conf:
> nameserver Name server IP address
> ...  Up to MAXNS (currently  3,  see  <resolv.h>)  name  servers
> may  be listed,  one  per  keyword.  If there are multiple servers,
> the resolver library queries them in the order listed.
> ...
> (The algorithm used is to try a name server, and if the query times
> out, try the next, until out of name servers, then repeat trying all
> the name servers until a maximum number of retries are made.)
> 
> 
> Also, some update mechanism for resolv.conf would be nice. We should
> provide "gen-recolv-conf.py script" at least, so admin can call it
> from cron or someting like that.
> 
> Petr^2 Spacek
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list