[Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.

David Kupka dkupka at redhat.com
Thu Jan 15 14:22:03 UTC 2015 

On 01/15/2015 12:43 PM, David Kupka wrote:
> On 01/12/2015 06:34 PM, Martin Basti wrote:
>> On 09/01/15 14:43, David Kupka wrote:
>>> On 01/07/2015 04:15 PM, Martin Basti wrote:
>>>> On 07/01/15 12:27, David Kupka wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/4249
>>>>
>>>> Thank you for patch:
>>>>
>>>> 1)
>>>> -        root_logger.error("Cannot update DNS records! "
>>>> -                          "Failed to connect to server '%s'.", server)
>>>> +        ips = get_local_ipaddresses()
>>>> +    except CalledProcessError as e:
>>>> +        root_logger.error("Cannot update DNS records. %s" % e)
>>>>
>>>> IMO the error message should be more specific,  add there something
>>>> like
>>>> "Unable to get local IP addresses". at least in log.debug()
>>>>
>>>> 2)
>>>> +    lines = ipresult[0].replace('\\', '').split('\n')
>>>>
>>>> .replace() is not needed
>>>>
>>>> 3)
>>>> +    if len(ips) == 0:
>>>>
>>>> if not ips:
>>>>
>>>> is more pythonic by PEP8
>>>>
>>>>
>>> Thanks for catching these. Updated patch attached.
>>>
>> merciful NACK
>>
>> Thank you for the patch, unfortunately I hit one issue which needs to be
>> resolved.
>>
>> If "sync PTR" is activated in zone settings, and reverse zone doesn't
>> exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print
>> Error message, 'DNS update failed'. In fact, all A/AAAA records was
>> succesfully updated, only PTR records failed.
>>
>> Bind log:
>> named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at
>> 'vm-101.example.com' AAAA
>>
>> named-pkcs11[28652]: PTR record synchronization (addition) for A/AAAA
>> 'vm-101.example.com.' refused: unable to find active reverse zone for IP
>> address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found
>>
>> With IPv6 we have several addresses from different reverse zones and
>> this situation may happen often.
>> I suggest following:
>> 1) Print list of addresses which will be updated. (Now if update fails,
>> user needs to read log, which addresses installer tried to update)
>> 2) Split nsupdates per A/AAAA record.
>> 3a) If failed, check with DNS query if A/AAAA and PTR record are there
>> and print proper error message
>> 3b) Just print A/AAAA (or PTR) record may not be updated for particular
>> IP address.
>>
>> Any other suggestions are welcome.
>>
>
> After long discussion with DNS and UX guru I've implemented it this way:
> 1. Call nsupdate only once with all updates.
> 2. Verify that the expected records are resolvable.
> 3. If no print list of missing A/AAAA, list of missing PTR records and
> list to mismatched PTR record.
>
> As this is running inside client we can't much more and it's up to user
> to check what's rotten in his DNS setup.
>
> Updated patch attached.
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>


One more change to behave well in -crazy- exotic environments that 
resolves more PTR records for single IP.

-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-dkupka-0035-4-client-Update-DNS-with-all-available-local-IP-addres.patch
Type: text/x-patch
Size: 8256 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150115/c75baff4/attachment.bin>

More information about the Freeipa-devel mailing list