Project

General

Profile

Actions

Support #8603

closed

Unable to provision new host due to DNS error

Added by Brian Lee over 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Triaged:
Fixed in Releases:
Found in Releases:

Description

I have a fresh 1.7.0 install of foreman. When I go to add a new host I get this error:

Create Reverse DNS record for newhost.example.com task failed with the following error: ERF12-2357 [ProxyAPI::ProxyException]: Unable to set DNS entry ([RestClient::BadRequest]: 400 Bad Request) for proxy https://foreman.example.com:8443/dns

I can provide any log files as needed, I just don't know what to look for.

Actions #1

Updated by Dominic Cleal over 9 years ago

  • Tracker changed from Bug to Support
  • Status changed from New to Feedback

Look in /var/log/foreman-proxy/proxy.log for further details. It would also be useful to see your BIND configuration, assuming you're using that.

Actions #2

Updated by Brian Lee over 9 years ago

Here is the error for the proxy.log:

E, [2014-12-08T07:51:40.220703 #17275] ERROR -- : Update errors: Answer:

;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  32393

;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1

;; ZONE SECTION:

;10.in-addr.arpa.               IN      SOA

;; TSIG PSEUDOSECTION:

rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1418046700 300 16 7YTn6AECH9t9XQPVZjws+A== 32393 NOERROR 0

I am using bind, its a centos 6.6 system. What config files do you want to see from it?

Actions #3

Updated by Dominic Cleal over 9 years ago

Probably the named.conf, and zones.conf if you use that. What I'm looking for is the definition of the 10.in-addr.arpa zone, as that's what it's trying to update when doing reverse DNS.

Actions #4

Updated by Brian Lee over 9 years ago

Named.conf:

// named.conf

include "/etc/rndc.key";

controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};

options {
include "/etc/named/options.conf";
};

include "/etc/named.rfc1912.zones";

// Public view read by Server Admin
include "/etc/zones.conf";

zone.conf:

zone "100.168.192.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.100.168.192.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "quicksand.bitc.morphotrust.com" {
type master;
file "/var/named/dynamic/db.example.com";
update-policy {
grant rndc-key zonesub ANY;
};
};

Actions #5

Updated by Dominic Cleal over 9 years ago

Okay, so your DNS server is only configured for the reverse 192.168.100.0/24 zone, but Foreman is trying to manage entries in a 10/8 subnet. You'll need to add the zone to BIND to manage it, or remove the DNS Proxy from the 10/8 Subnet in Foreman's UI to disable reverse DNS management.

Actions #6

Updated by Brian Lee over 9 years ago

Yep that was the problem. I changed the arpa file to match my network and that fixed it.

The follow up question is, why did that get set? I used foreman to install bind and dhcp, but it did not set it correctly. Did I miss something during the install?

Actions #7

Updated by Dominic Cleal over 9 years ago

  • Status changed from Feedback to Resolved

Yeah, sounds like you needed to add --foreman-proxy-dns-reverse=10.in-addr.arpa to your foreman-installer command. It defaults to 192.168.100.0/24 I think if you pass --foreman-proxy-dns=true to set up BIND.

There are quite a few parameters, so you might have to review them carefully when installing.

Glad you got it sorted!

Actions #8

Updated by Peter Agnew over 8 years ago

i have a very similar problem on a vanilla install of foreman 1.9.2

i do NOT want foreman to manage the 10.in-addr.arpa and i don't understand why it is trying to do this.

/etc/bind/named.conf:

// named.conf

include "/etc/bind/rndc.key";

controls  {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};

options  {
        include "/etc/bind/named.conf.options";
};

include "/etc/bind/zones.rfc1918";

// Public view read by Server Admin
include "/etc/bind/zones.conf";

/etc/bind/zones.conf

 zone "32.0.27.10.in-addr.arpa" {
    type master;
    file "/var/cache/bind/zones/db.32.0.27.10.in-addr.arpa";
    update-policy {
            grant rndc-key zonesub ANY;
    };
};
zone "eng.fireeye.com" {
    type master;
    file "/var/cache/bind/zones/db.eng.fireeye.com";
    update-policy {
            grant rndc-key zonesub ANY;
    };
};

foreman-proxy (debug mode) log:

;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  40911

;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1

;; ZONE SECTION:

;10.IN-ADDR.ARPA.        IN    SOA

;; TSIG PSEUDOSECTION:

rndc-key.        0    ANY    TSIG    hmac-md5.sig-alg.reg.int. 1447190033 300 16 VQ8uzl/brDL0iLFjUdthWA== 40911 NOERROR 0

Why Foreman proxy are you attempting to put an entry into that zone? please don't. please help.

Actions #9

Updated by Peter Agnew over 8 years ago

Dominic Cleal wrote:

Okay, so your DNS server is only configured for the reverse 192.168.100.0/24 zone, but Foreman is trying to manage entries in a 10/8 subnet. You'll need to add the zone to BIND to manage it, or remove the DNS Proxy from the 10/8 Subnet in Foreman's UI to disable reverse DNS management.

how does one remove the DNS Proxy from the 10/8 Subnet in Foreman's UI?

Actions #10

Updated by Dominic Cleal over 8 years ago

Peter Agnew wrote:

how does one remove the DNS Proxy from the 10/8 Subnet in Foreman's UI?

Go to Infrastructure > Subnets, click your subnet and under the Proxies tab, deselect the DNS proxy.

Actions #11

Updated by Peter Agnew over 8 years ago

i see you point. you can tell foreman to completely disable the DNS proxy. in this case i want to have the proxy, but put reverse lookups in the 10.0.27.32/27 zone.

what i think i have figured out is that the DNS configuration (either foreman's or default bind9) defines a standard set of RFC1918 zones in the file /etc/bind/zones.rfc1918

zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };

zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };


you can see this file included at the bottom of named.conf. this file does the job of defining the standard local subnet zones in a default way to avoid unnecessary trips to outside DNS servers when you are attempting to get to a box on your local subnet. well my stupid network (10.0.27.32/27) totally fits in the standard rfc1918 zone "10.in-addr.arpa" (10.x.x.x network). so how does bind9 decide what zone i am attempting to define my reverse lookup in when i have both of these zones defined?
Actions

Also available in: Atom PDF