[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

DNS broken (was: NFS4 and Kerberos: A-records for same IP inflate the need for service principals)

Hi again,

concerning the strange results which I accused to multiple A-records,
I found something new. I started to doubt our powerdns setup and
modifying it in ldap got annoying, so I switched on to bind instead[1].  
 
After that, asking for DNS lookups changed. PowerDNS:

root@tjener:~# host 10.0.2.2
2.2.0.10.in-addr.arpa domain name pointer tjener.intern.
2.2.0.10.in-addr.arpa domain name pointer kerberos.intern.
2.2.0.10.in-addr.arpa domain name pointer ldap.intern.
2.2.0.10.in-addr.arpa domain name pointer domain.intern.
2.2.0.10.in-addr.arpa domain name pointer postoffice.intern.
2.2.0.10.in-addr.arpa domain name pointer syslog.intern.

With bind:

root@workstation01:~# host 10.0.2.2
2.2.0.10.in-addr.arpa domain name pointer tjener.intern.
root@workstation01:~# host ldap
ldap.intern has address 10.0.2.2
root@workstation01:~# host www
www.intern is an alias for tjener.intern.
tjener.intern has address 10.0.2.2

As you see, ldap is an A-record as before (I double checked in
/etc/bind/db.intern), however host 10.0.2.2 is resolved to only
tjener. So I conclude, that the current DNS setup, as a mixture of ldap
objects prepared for bind with extra attributes to make powerDNS (sort
of) work, is broken. In addition, there is absolutely no use of GOsa
with regard to DNS, as modifications are not accepted by GOsa with the
added powerDNS attributes. 

With such a system, it's extremely hard to stay motivated, because you
waist your time fixing things that are "known not to work properly"
instead of really being able to test new things.

I propose three choices: 

1) We move powerDNS to its own tree (as before) and switch of the
"systems"-stuff in GOsa. This means we don't have a GUI to make
changes, but hopefully a working DNS again that doesn't block all
other activities. 

2) We drop powerDNS and give bind a try. This means merely installing
bind instead of powerDNS, appending a line to a configuration file and
touching another one [1]. Regarding the simplicity, it could also be
considered as an intermediate solution until we have something else. 

3) Someone has time and volunteers to cooperate with Alejandro
(<URL:http://lists.debian.org/debian-edu/2010/12/msg00117.html>) to
implement powerDNS in GOsa properly. This should happen soon, because
the current broken system only leads to frustration.

So please comment on the issue. I think we should have other problems
than wasting time getting adventurous powerDNS/bind combinations
running, and the current situation is not acceptable.  

Best regards,

     Andi



[1] It's almost nothing that has to be done to use bind with the
current setup:

aptitude install bind9
aptitude install ldap2zone

# bind configuration:
echo 'include "/etc/bind/named.conf.ldap2zone";' >> /etc/bind/named.conf.local
touch /etc/bind/named.conf.ldap2zone
ldap2bind

# check if anything makes sense:
less /etc/bind/db.intern
less /etc/bind/db.2.0.10.in-addr.arpa.



If anything is fine, switch off pdns (in /etc/default):

--- a/default/pdns-recursor
+++ b/default/pdns-recursor
@@ -1,5 +1,5 @@
 # Variables for PowerDNS recursor
 #
 # Set START to yes to start the pdns-recursor
-START=yes
+START=no

--- a/default/pdns
+++ b/default/pdns
@@ -1,5 +1,5 @@
# Variables for PowerDNS
#
# Whether you want to start PowerDNS automatically.
-START=yes
+START=no

http://lists.debian.org/debian-edu/2010/10/msg00209.html
Reply to: