nsupdate improvements

QA Handover session

Dynamic DNS

• DDNS is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DNS configuration of its configured hostnames, addresses or other information
• nsupdate is a computer network maintenance utility used by network administrators to request the name server of a DNS zone to update its database.

Dynamic DNS

• DDNS support in SSSD:

  • dyndns_enabled
    • This option tells SSSD to automatically update the DNS server with the IP address(es) of this client

    • Previously

      (single) IP address of LDAP connection was used for the updates

    • Currently

      All IPv4 and IPv6 addresses of the interface that is used for LDAP connection are used for the updates
    • Default: false
    • Realmd sets dyndns_enabled=True by default

Dynamic DNS: Example

• Network interfaces on IPA client:

  1. ens9

     inet 192.168.122.133/24 scope global
     inet6 2001:cdba::111/96 scope global
     inet6 fe80::5054:ff:fe8a:4999/64 scope link
     

  2. eth1:

     inet 1.2.3.4/24 scope global
     inet 1.2.3.5/24 scope global secondary eth1
     inet6 2001:cdba::333/96 scope global
     inet6 2001:cdba::222/96 scope global
     inet6 fe80::5054:ff:fe2d:90b/64 scope link
     

• DDNS is disabled on IPA client

  husker # grep dyndns_update /etc/sssd/sssd.conf
  dyndns_update = False
  

• Query address of IPA client:

  ipa-server $ dig A husker.example.test +short
  ipa-server $ dig AAAA husker.example.test +short
  

Dynamic DNS: Example

• Enable DDNS update on IPA client

  husker # grep dyndns_update /etc/sssd/sssd.conf
  dyndns_update = True
  husker # sudo systemctl restart sssd
  

• Query address of IPA client:

  ipa-server $ dig A  husker.example.test +short
  192.168.122.133
  ipa-server $ dig AAAA  husker.example.test +short
  2001:cdba::111
  

Dynamic DNS: DNS usable IPs

• ipa-server $ dig A  husker.example.test +short
  192.168.122.133
  ipa-server $ dig AAAA  husker.example.test +short
  2001:cdba::111
  
  ens9
  inet 192.168.122.133/24 scope global
  inet6 2001:cdba::111/96 scope global
  inet6 fe80::5054:ff:fe8a:4999/64 scope link
  

• husker $ grep 'check_ipv[46]_addr' sssd_ipa.work.log
  [check_ipv4_addr] (0x0200): Loopback IPv4 address 127.0.0.1
  [check_ipv6_addr] (0x0200): Loopback IPv6 address ::1
  [check_ipv6_addr] (0x0200): Link local IPv6 address fe80::5054:ff:fe2d:90b
  

  debug_level >= SSSDBG_TRACE_LIBS (7)

• Multicast, loopback, link-local and broadcast addresses are not usable for DNS.

Dynamic DNS

• DDNS support in SSSD:

  • dyndns_iface

    • Previously:

      Choose the single interface whose IP addresses should be used for dynamic DNS updates

    • Currently:

      Choose the interface or a list of interfaces whose IP addresses should be used for dynamic DNS updates
      
    • New special value * that implies that IPs from all interfaces should be used

Dynamic DNS: Example

• dyndns_iface=* on IPA client

  husker # grep dyndns_iface /etc/sssd/sssd.conf
  dyndns_iface = *
  husker # sudo systemctl restart sssd
  

• Query address of IPA client:

  ipa-server $ dig A  husker.example.test +short
  1.2.3.4
  192.168.122.133
  1.2.3.5
  ipa-server $ dig AAAA  husker.example.test +short
  2001:cdba::222
  2001:cdba::111
  2001:cdba::333
            

Hints for testing

• Message for nsupdate

  if debug_level is >= SSSDBG_TRACE_FUNC (6) then sssd_dimain.log contains

  -- Begin nsupdate message --
  realm IPA.WORK
  update delete husker.example.test. in A
  send
  update delete husker.example.test. in AAAA
  send
  update add husker.example.test. 1200 in AAAA 2001:cdba::222
  update add husker.example.test. 1200 in AAAA 2001:cdba::333
  update add husker.example.test. 1200 in AAAA 2001:cdba::111
  update add husker.example.test. 1200 in AAAA 2001:cdba::112
  update add husker.example.test. 1200 in A 1.2.3.5
  update add husker.example.test. 1200 in A 1.2.3.4
  update add husker.example.test. 1200 in A 192.168.122.133
  send
  -- End nsupdate message --
  

  nsupdate -o msg
  

• Check that appropriate domain zone is created on server

  ipa-server $ ipa dnszone-show example.test.
  Zone name: example.test.
  ... 

• Dynamic update is enabled on server
• Check bind update policy on ipa server.
  For debugging purposes only you might add rule "grant * wildcard *;"
• How to add more IPs to existing interfaces:

  ip address add 1.2.3.4/24 dev eth0
  ip address add  2001:cdba::3257/96 dev eth0
  

Thanks

Questions?