Re: ldap2zone: will some time generate invalid DNS host name entries
[Giorgio Pioda]
> In my crash I got an A statement with empty hostname, but actually the
> hostname was a normal lowercase (for instance the string "piattaforma").
> The only possible wrong char could be an invisible white space.
>
> I'm triing to understand what happened, but it is not easy, since this
> A statement was added a week before the crash, so ldap2zone had already
> run with this setup without errors (IIRC ldap2zone runs every hour).
>
> Just berfore the crash I dist-upgraded the server because of the bash
> vulnerability claim. In this upgrade I got also kerberos, ldap
> and possibly other server patches. I should browse the etckeeper git repo
> to see exact file modifications and its timing (is there a short howto since I'm pretty
> newbe on git).
>
> I'm beginning to think that it has been a kind
> of "race condition" between the ldap2zone script and the dist-upgrade
> of the slapd/ldap. It is only a suspect, still with no evidences.
I believe ldap2zone created a broken zone file and tried to reload
bind, which rejected the zone file and kept using the old zone it had
in memory. There should be syslog messages about this.
Then you upgraded the server and restarted bind, which no longer had
the option of keeping the old data (restart forces reload, reload only
suggest it) and had no other option than to refuse to start. Without
a running bind, DNS lookup failed all over the place and nothing
worked.
Running 'cd /etc/bind; git log -p' as root you should be able to see
what the zone file looked like when it was broken, and how it was
before it was broken.
The ldap2zone version I uploaded yesterday will check if bind liked
the new zone file, and revert to the old one if bind did not, and
syslog an error when this happen. It should ensure bind never end up
with a broken file after restart.
--
Happy hacking
Petter Reinholdtsen
Reply to: