Support #8603
closedUnable to provision new host due to DNS error
Description
I have a fresh 1.7.0 install of foreman. When I go to add a new host I get this error:
Create Reverse DNS record for newhost.example.com task failed with the following error: ERF12-2357 [ProxyAPI::ProxyException]: Unable to set DNS entry ([RestClient::BadRequest]: 400 Bad Request) for proxy https://foreman.example.com:8443/dns
I can provide any log files as needed, I just don't know what to look for.
Updated by Dominic Cleal over 9 years ago
- Tracker changed from Bug to Support
- Status changed from New to Feedback
Look in /var/log/foreman-proxy/proxy.log for further details. It would also be useful to see your BIND configuration, assuming you're using that.
Updated by Brian Lee over 9 years ago
Here is the error for the proxy.log:
E, [2014-12-08T07:51:40.220703 #17275] ERROR -- : Update errors: Answer: ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 32393 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;10.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1418046700 300 16 7YTn6AECH9t9XQPVZjws+A== 32393 NOERROR 0
I am using bind, its a centos 6.6 system. What config files do you want to see from it?
Updated by Dominic Cleal over 9 years ago
Probably the named.conf, and zones.conf if you use that. What I'm looking for is the definition of the 10.in-addr.arpa zone, as that's what it's trying to update when doing reverse DNS.
Updated by Brian Lee over 9 years ago
Named.conf:
// named.conf
include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};options {
include "/etc/named/options.conf";
};include "/etc/named.rfc1912.zones";
// Public view read by Server Admin
include "/etc/zones.conf";
zone.conf:
zone "100.168.192.in-addr.arpa" {
type master;
file "/var/named/dynamic/db.100.168.192.in-addr.arpa";
update-policy {
grant rndc-key zonesub ANY;
};
};
zone "quicksand.bitc.morphotrust.com" {
type master;
file "/var/named/dynamic/db.example.com";
update-policy {
grant rndc-key zonesub ANY;
};
};
Updated by Dominic Cleal over 9 years ago
Okay, so your DNS server is only configured for the reverse 192.168.100.0/24 zone, but Foreman is trying to manage entries in a 10/8 subnet. You'll need to add the zone to BIND to manage it, or remove the DNS Proxy from the 10/8 Subnet in Foreman's UI to disable reverse DNS management.
Updated by Brian Lee over 9 years ago
Yep that was the problem. I changed the arpa file to match my network and that fixed it.
The follow up question is, why did that get set? I used foreman to install bind and dhcp, but it did not set it correctly. Did I miss something during the install?
Updated by Dominic Cleal over 9 years ago
- Status changed from Feedback to Resolved
Yeah, sounds like you needed to add --foreman-proxy-dns-reverse=10.in-addr.arpa to your foreman-installer command. It defaults to 192.168.100.0/24 I think if you pass --foreman-proxy-dns=true to set up BIND.
There are quite a few parameters, so you might have to review them carefully when installing.
Glad you got it sorted!
Updated by Peter Agnew over 8 years ago
i have a very similar problem on a vanilla install of foreman 1.9.2
i do NOT want foreman to manage the 10.in-addr.arpa and i don't understand why it is trying to do this.
/etc/bind/named.conf:
// named.conf include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options { include "/etc/bind/named.conf.options"; }; include "/etc/bind/zones.rfc1918"; // Public view read by Server Admin include "/etc/bind/zones.conf";
/etc/bind/zones.conf
zone "32.0.27.10.in-addr.arpa" { type master; file "/var/cache/bind/zones/db.32.0.27.10.in-addr.arpa"; update-policy { grant rndc-key zonesub ANY; }; }; zone "eng.fireeye.com" { type master; file "/var/cache/bind/zones/db.eng.fireeye.com"; update-policy { grant rndc-key zonesub ANY; }; };
foreman-proxy (debug mode) log:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 40911 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;10.IN-ADDR.ARPA. IN SOA ;; TSIG PSEUDOSECTION: rndc-key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1447190033 300 16 VQ8uzl/brDL0iLFjUdthWA== 40911 NOERROR 0
Why Foreman proxy are you attempting to put an entry into that zone? please don't. please help.
Updated by Peter Agnew over 8 years ago
Dominic Cleal wrote:
Okay, so your DNS server is only configured for the reverse 192.168.100.0/24 zone, but Foreman is trying to manage entries in a 10/8 subnet. You'll need to add the zone to BIND to manage it, or remove the DNS Proxy from the 10/8 Subnet in Foreman's UI to disable reverse DNS management.
how does one remove the DNS Proxy from the 10/8 Subnet in Foreman's UI?
Updated by Dominic Cleal over 8 years ago
Peter Agnew wrote:
how does one remove the DNS Proxy from the 10/8 Subnet in Foreman's UI?
Go to Infrastructure > Subnets, click your subnet and under the Proxies tab, deselect the DNS proxy.
Updated by Peter Agnew over 8 years ago
i see you point. you can tell foreman to completely disable the DNS proxy. in this case i want to have the proxy, but put reverse lookups in the 10.0.27.32/27 zone.
what i think i have figured out is that the DNS configuration (either foreman's or default bind9) defines a standard set of RFC1918 zones in the file /etc/bind/zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
you can see this file included at the bottom of named.conf. this file does the job of defining the standard local subnet zones in a default way to avoid unnecessary trips to outside DNS servers when you are attempting to get to a box on your local subnet. well my stupid network (10.0.27.32/27) totally fits in the standard rfc1918 zone "10.in-addr.arpa" (10.x.x.x network). so how does bind9 decide what zone i am attempting to define my reverse lookup in when i have both of these zones defined?