Re: [Freeipa-devel] IPA server resolv.conf

Mon, 17 Sep 2012 02:21:27 -0700 

On 09/17/2012 09:15 AM, Martin Kosek wrote:

On 09/17/2012 09:06 AM, Petr Spacek wrote:

Discussion about patch "Set master_kdc and dns_lookup_kdc to true)" reminds one
related problem:

Our server installer puts line "nameserver 127.0.0.1" to /etc/resolv.conf, but
this file should contain all (or three nearest) DNS servers in IPA domain.

As a result, IPA server will work even after local named crash (which is not so
rare as I want :-().

New ticket:
https://fedorahosted.org/freeipa/ticket/3085

Martin, what do you think?

How we can update resolv.conf to reflect replica addition/deletion?

Should it be done manually? E.g. ipa-replica-install script can print "don't
forget to add this server to /etc/resolv.conf on other servers"?

Petr^2 Spacek



It would not be difficult to pull a list of IPA masters with DNS support during
ipa-{server,replica}-install and write more IPs to the resolv.conf. But I think
there may be an issue when somebody willingly stop a remote replica or
uninstall it. He would also need to remove it's IP from all resolv.confs in all
replicas...

Btw. why would IPA server fail when a local named crashes? A record in
/etc/hosts we always add should still enable local IPA services to work or do I
miss something?


Well... try it :-D "service named stop"
I didn't examine details of this problem, but my guess is Kerberos and reverse DNS lookups. Also, you need to resolve neighbouring replica IP and so on.
Name servers listed in resolv.conf are tried in order, so 127.0.0.1 should be on first place. 

man resolv.conf:
nameserver Name server IP address
... Up to MAXNS (currently 3, see <resolv.h>) name servers may be listed, one per keyword. If there are multiple servers, the resolver library queries them in the order listed. 
...
(The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.)
Also, some update mechanism for resolv.conf would be nice. We should provide "gen-recolv-conf.py script" at least, so admin can call it from cron or someting like that. 

Petr^2 Spacek

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to