At random intervals the A record for one of the two IPA servers gets deleted.
Using integrated BIND.
The named log looks like the following. Strange that it fails a sanity check but then goes ahead and does it anyway.
"client 10.30.10.27" is the FreeIPA server itself.
13-Dec-2018 00:31:34.389 client 10.30.10.27#53265/key host/mdc-ipa-01.idm.planetrisk.com@IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': deleting rrset at 'mdc-ipa-01.idm.planetrisk.com' A 13-Dec-2018 00:31:34.398 client 10.30.10.27#53265/key host/mdc-ipa-01.idm.planetrisk.com@IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': update rejected: post update name server sanity check failed 13-Dec-2018 00:31:34.449 client 10.30.10.27#45570/key host/mdc-ipa-01.idm.planetrisk.com@IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': deleting rrset at 'mdc-ipa-01.idm.planetrisk.com' AAAA 13-Dec-2018 00:31:34.449 zone 10.30.10.in-addr.arpa/IN: sending notifies (serial 1544679094) 13-Dec-2018 00:31:34.456 zone idm.planetrisk.com/IN: sending notifies (serial 1544679094) 13-Dec-2018 00:31:34.511 client 10.30.10.27#40273/key host/mdc-ipa-01.idm.planetrisk.com@IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': deleting rrset at 'mdc-ipa-01.idm.planetrisk.com' A 13-Dec-2018 00:31:34.519 client 10.30.10.27#54534/key host/mdc-ipa-01.idm.planetrisk.com@IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': deleting rrset at 'mdc-ipa-01.idm.planetrisk.com' AAAA 13-Dec-2018 00:32:00.754 client 10.60.2.120#40990 (112.2.60.10.in-addr.arpa): RFC 1918 response from Internet for 112.2.60.10.in-addr.arpa 13-Dec-2018 00:40:13.066 zone idm.planetrisk.com/IN: sending notifies (serial 1544679613)
This is a two node cluster. At one time in the past before I took it over there was a failed attempt to integrate with Active Directory. I'm pretty sure I have removed all of the Active Directory integration components.
I do want to retain the ability to have client enrollment trigger a DNS update.
My guess it's related to sssd: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
dyndns_update was enable in the sssd config on the FreeIPA server. I simply removed the relevant lines in sssd.conf and restarted sssd but the problem keeps happening.
Any ideas on where I should look to prevent this from continuing to happen?
CentOS Linux release 7.6.1810 (Core) ipa-client.x86_64 4.6.4-10.el7.centos @base ipa-client-common.noarch 4.6.4-10.el7.centos @base ipa-common.noarch 4.6.4-10.el7.centos @base ipa-python-compat.noarch 4.6.4-10.el7.centos @base ipa-server.x86_64 4.6.4-10.el7.centos @base ipa-server-common.noarch 4.6.4-10.el7.centos @base ipa-server-dns.noarch 4.6.4-10.el7.centos @base ipa-server-trust-ad.x86_64 4.6.4-10.el7.centos @base libipa_hbac.x86_64 1.16.2-13.el7 @base python-iniparse.noarch 0.4-9.el7 @anaconda python-ipaddress.noarch 1.0.16-2.el7 @base python-libipa_hbac.x86_64 1.16.2-13.el7 @base python2-ipaclient.noarch 4.6.4-10.el7.centos @base python2-ipalib.noarch 4.6.4-10.el7.centos @base python2-ipaserver.noarch 4.6.4-10.el7.centos @base sssd-ipa.x86_64 1.16.2-13.el7 @base
how about about if I change the question to:
Why does a "sanity check" seems to happen before an A record delete is processed, the sanity check seems to fail BUT, the system goes right and deletes the record anyways ???
James Richard via FreeIPA-users wrote:
how about about if I change the question to:
Why does a "sanity check" seems to happen before an A record delete is processed, the sanity check seems to fail BUT, the system goes right and deletes the record anyways ???
What do you mean by sanity check?
rob
freeipa-users@lists.fedorahosted.org
-
James Richard -
Rob Crittenden