Project

General

Profile

Actions
Copy link

Bug #13419

open

DNS updates do not work unless foreman server uses the authoritative DNS server as it's nameserver in resolv.conf

Added by Michael Eklund over 9 years ago. Updated over 8 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
DNS
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

If foreman is not using the authoritative name server as a nameserver entry in it's resolv.conf dns proxy calls will not work properly. We have nameserver recursors in our production envirioment, these forward our internal zones to our authoritative name servers. After foreman deleted the dns records I would never see any calls to create the records.

From a log perspective it looks like this:

On foreman server

2016-01-27T12:34:58 [app] [I] Delete the DNS A record for mem03.phx.dealnews.net/10.11.51.2
2016-01-27T12:34:58 [app] [I] Delete the DNS PTR record for 10.11.51.2/mem03.phx.dealnews.net
2016-01-27T12:34:58 [app] [D] Fetching DNS reservation for 10.11.51.2/mem03.phx.dealnews.net

on foreman-proxy

D, [2016-01-27T12:34:58.089412 #24413] DEBUG -- : verifying remote client 10.10.50.170 against trusted_hosts ["cfg01.atl.dealnews.net"]
I, [2016-01-27T12:34:58.092718 #24413]  INFO -- : 10.10.50.170 - - [27/Jan/2016 12:34:58] "DELETE /dns/mem03.phx.dealnews.net HTTP/1.1" 200 - 0.0034

D, [2016-01-27T12:34:58.178689 #24413] DEBUG -- : verifying remote client 10.10.50.170 against trusted_hosts ["cfg01.atl.dealnews.net"]
I, [2016-01-27T12:34:58.181471 #24413]  INFO -- : 10.10.50.170 - - [27/Jan/2016 12:34:58] "DELETE /dns/2.51.11.10.in-addr.arpa HTTP/1.1" 200 - 0.0029

It took me forever to figure out why I was never seeing any POST /dns calls on the proxy. The reason is because the dns records already exist in the dns recursor's cache, so it appears that the calls are bypassed by the following code

  def recreate_a_record
    set_dns_a_record unless dns_a_record.nil? || dns_a_record.valid?
  end

  def recreate_ptr_record
    set_dns_ptr_record unless dns_ptr_record.nil? || dns_ptr_record.valid?
  end

dns_a_record.valid? and dns_ptr_record.valid? return a false true from this code

      # Verifies that a record already exists on the dns server
      def valid?
        logger.debug "Fetching DNS reservation for #{self}" 
        self == dns_lookup(ip)
      end

because they are talking to a cache and the TTL has not hit 0 yet.

Actions
Copy link
 #1

Updated by Dominic Cleal over 9 years ago

  • Category set to DNS

The default behaviour is to query the authoritative servers (it looks these up via the SOA and NS for the zone), but it does use a recursor (per resolv.conf) if the query_local_nameservers setting (Administer > Settings) is changed from the default false to true.

Actions
Copy link
 #2

Updated by Michael Eklund over 9 years ago

Confirmed this was the case. We were fronting our authdns with a recursor for caching. I would love a setting to force it to go by what the proxy says though.

Actions
Copy link
 #3

Updated by Stephen Benjamin over 8 years ago

I'm not sure I understand the logic of reaching out to the authoritative nameservers - why is Foreman special and needing to bypass the system's DNS configuration?

It causes major problems anywhere that uses things like DNS sinkholes and disables access to anything but their own dns:
https://github.com/Katello/forklift/pull/295#issuecomment-249864935

Actions
Copy link

Also available in: Atom PDF