[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)

On Sun, Jan 09, 2011 at 09:54:30PM +0100, Andreas B. Mundt wrote:
> concerning the strange results which I accused to multiple A-records,
> I found something new. I started to doubt our powerdns setup and
> modifying it in ldap got annoying, so I switched on to bind instead[1].  
>  
> After that, asking for DNS lookups changed. PowerDNS:
> 
> root@tjener:~# host 10.0.2.2
> 2.2.0.10.in-addr.arpa domain name pointer tjener.intern.
> 2.2.0.10.in-addr.arpa domain name pointer kerberos.intern.
> 2.2.0.10.in-addr.arpa domain name pointer ldap.intern.
> 2.2.0.10.in-addr.arpa domain name pointer domain.intern.
> 2.2.0.10.in-addr.arpa domain name pointer postoffice.intern.
> 2.2.0.10.in-addr.arpa domain name pointer syslog.intern.
> 
> With bind:
> 
> root@workstation01:~# host 10.0.2.2
> 2.2.0.10.in-addr.arpa domain name pointer tjener.intern.
> root@workstation01:~# host ldap
> ldap.intern has address 10.0.2.2
> root@workstation01:~# host www
> www.intern is an alias for tjener.intern.
> tjener.intern has address 10.0.2.2
> 
> As you see, ldap is an A-record as before (I double checked in
> /etc/bind/db.intern), however host 10.0.2.2 is resolved to only
> tjener. So I conclude, that the current DNS setup, as a mixture of ldap
> objects prepared for bind with extra attributes to make powerDNS (sort
> of) work, is broken. In addition, there is absolutely no use of GOsa
> with regard to DNS, as modifications are not accepted by GOsa with the
> added powerDNS attributes. 
> 
> With such a system, it's extremely hard to stay motivated, because you
> waist your time fixing things that are "known not to work properly"
> instead of really being able to test new things.
> 
> I propose three choices: 
> 
> 1) We move powerDNS to its own tree (as before) and switch of the
> "systems"-stuff in GOsa. This means we don't have a GUI to make
> changes, but hopefully a working DNS again that doesn't block all
> other activities. 
> 
> 2) We drop powerDNS and give bind a try. This means merely installing
> bind instead of powerDNS, appending a line to a configuration file and
> touching another one [1]. Regarding the simplicity, it could also be
> considered as an intermediate solution until we have something else. 

I strongly support this option. IMHO, DNS data just does not belong into
LDAP. Bind is optimized to distribute DNS data with the most efficiency
and reliability, and "PowerDNS" may just add an additional layer of
abstraction that can introduce unwanted side effects like the one you
observed. 

Btw, what was the reason to chose PowerDNS in Skolelinux as default,
anyways? Just to "have everything in LDAP"? There was surely a
discussion about this that I have missed. 

> 3) Someone has time and volunteers to cooperate with Alejandro
> (<URL:http://lists.debian.org/debian-edu/2010/12/msg00117.html>) to
> implement powerDNS in GOsa properly. This should happen soon, because
> the current broken system only leads to frustration.
> 
> So please comment on the issue. I think we should have other problems
> than wasting time getting adventurous powerDNS/bind combinations
> running, and the current situation is not acceptable.  

/me agrees

Regards
-Klaus
Reply to: