Bug #2668

Foreman appears to be incorrectly checking the local resolvers rather than SOA

Added by Jon Fautley almost 5 years ago. Updated 9 months ago.

Status:New
Priority:Normal
Assigned To:-
Category:DNS
Target version:-
Difficulty:trivial Bugzilla link:
Found in release:1.14.3 Pull request:
Story points-
Velocity based estimate-

Description

It would appear that Foreman is checking the existence of DNS records (A/PTR, for provisioning) by querying the resolvers configured on the local system, rather than those configured in the managed zone's SOA.

This is irrespective of the setting of query_local_nameservers.


Related issues

Related to Foreman - Bug #13696: Rebuild Config deletes PTR records but does not add them New 02/13/2016
Duplicated by Foreman - Bug #3526: reverse_dns_record_attrs definition is missing the :resol... Duplicate 10/26/2013

History

#1 Updated by Dominic Cleal almost 5 years ago

  • Assigned To deleted (Dominic Cleal)

It looks like this is specifically on PTR records, the original error was: "Failed to save: Conflict DNS PTR Records 123.12.123.1/<old.hostname> already exists"

I see app/models/orchestration/dns.rb queries the domain model for its SOA nameservers and gets a new DNS resolver with these configured, but doesn't do the equivalent for the subnet and reverse DNS zone.

#2 Updated by Dominic Cleal over 4 years ago

  • Duplicated by Bug #3526: reverse_dns_record_attrs definition is missing the :resolver attribute added

#3 Updated by Dominic Cleal over 2 years ago

  • Related to Bug #13696: Rebuild Config deletes PTR records but does not add them added

#4 Updated by Simon Wydooghe about 2 years ago

I can confirm this issue. I've got a dnsmasq server as my 'main' DNS, which Foreman uses. The Foreman host has a BIND server which only serves the domains managed by Foreman. The dnsmasq server forwards any requests to these domains to the BIND server. Caching on the dnsmasq server caused Foreman to believe there were conflicting PTR records. Turning off the caching on the dnsmasq server resolved the issue.

#5 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Description updated (diff)

I wonder why the Foreman is doing a DNS request at all. I thought the Proxy did this so it shouldn't be needed. This also requires that the foreman has an entire view of the system and while that's generally what you want with DNS, there are situations where firewalls can be in the way.

#6 Updated by Zdenek Janda 9 months ago

  • Priority changed from Normal to Urgent
  • Difficulty set to trivial
  • Found in release set to 1.14.3

I did hit into this now as well, this feature should be turned off entirely, or atleast add configuration possiblity to turn this off. Imagine this situation, you have in DNS *.example.com, which is CNAME to host1.example.com A 191.168.0.1. Now you want to create host2.example.com with 191.168.0.2, but bum, Conflict IPv4 DNS record because it did resolve host1.example.com A 191.168.0.1. And this is happening even when foreman has DNS proxy set for this subnet - instead doing it via proxy (which would work), it uses local resolver and everything is broken. I even added codewrap around that creates correct A record before foreman host is created, but this fails too, as it takes some time to DNS refresh so foreman can resolve it good, which again was workarounded by some sleep() but this all is just not right.

#7 Updated by Marek Hulán 9 months ago

  • Priority changed from Urgent to Normal

Thanks for your comment, I'm afraid this does not qualify to Urgent Priority, so resetting it back.

Also available in: Atom PDF