主页 / server / 问题 / 521809
Accepted
Michael Hampton
Asked: 2013-07-09 22:50:43 +0800 CST

IPA 动态 DNS 仅更新 AAAA 记录。我的 A 记录在哪里?

  • 772

我正在设置一个 FreeIPA 域。在我的实验室里有三个虚拟机:域控制器ipadc1和两个客户端puppetwordpress(有创意,是的,我知道)。所有三个虚拟机都运行新安装的 CentOS 6.4 (FreeIPA 3.0.0)。

我已经安装了 IPA 服务器,创建了一个我们将example.us在这里调用的域,并启用了 DNS 服务和自动 DNS 更新。

我已成功将两个虚拟机加入域。但动态 DNS 更新只是将 AAAA 记录放入 DNS。没有插入任何 A 记录。

DNS RR

我的动态更新和 BIND 更新策略的 DNS 区域设置似乎也是正确的。

DNS 区域设置

两个客户端虚拟机实际上都有IPv4 地址;puppet具有静态 IPv4 地址并wordpress从 DHCP 获取其 IPv4 地址。这似乎没有什么不同。

# ip a s dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:3c:d5:f5 brd ff:ff:ff:ff:ff:ff
    inet 172.25.50.227/24 brd 172.25.50.255 scope global eth0
    inet6 2001:db8:16:bf:5054:ff:fe3c:d5f5/64 scope global dynamic 
       valid_lft 86180sec preferred_lft 14180sec
    inet6 fe80::5054:ff:fe3c:d5f5/64 scope link 
       valid_lft forever preferred_lft forever

问题实际上似乎出在 sssd 上,我了解到它实际上负责推送动态 DNS 更新。我开始调试debug_level = 9并在日志中发现了这一点。这似乎表明 sssd 甚至没有尝试发送 A 记录,尽管它并没有真正告诉我原因。

(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_update_send] (0x4000): Performing update
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ok_for_dns] (0x0200): Multicast IPv4 address 172.25.50.227
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ok_for_dns] (0x0200): Link local IPv6 address fe80::5054:ff:fe3c:d5f5
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_gss_tsig_update_step] (0x1000): Checking if the update is needed
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_get_family_order] (0x1000): Lookup order: ipv6_first
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_is_address] (0x4000): [wordpress.example.us] does not look like an IP address
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'wordpress.example.us' in DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'wordpress.example.us' in DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_is_address] (0x4000): [wordpress.example.us] does not look like an IP address
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'wordpress.example.us' in DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_gss_tsig_update_check] (0x1000): Address on localhost only: 2001:db8:16:bf:5054:ff:fe3c:d5f5
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_gss_tsig_update_check] (0x0400): Detected IP addresses change, will perform an update
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [create_nsupdate_message] (0x0200): Creating update message for realm [EXAMPLE.US] and zone [example.us].
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [create_nsupdate_message] (0x0400):  -- Begin nsupdate message --
realm EXAMPLE.US
zone example.us.
update delete wordpress.example.us. in A
send
update delete wordpress.example.us. in AAAA
send
update add wordpress.example.us. 86400 in AAAA 2001:db8:16:bf:5054:ff:fe3c:d5f5
send
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [create_nsupdate_message] (0x0400):  -- End nsupdate message --
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [2144]
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_handler_setup] (0x2000): Signal handler set up for pid [2144]
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [write_pipe_handler] (0x0400): All data has been sent!
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_stdin_done] (0x4000): Sending nsupdate data complete
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_sig_handler] (0x1000): Waiting for child [2144].
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_sig_handler] (0x0100): child [2144] finished successfully.
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_update_done] (0x0020): DNS update finished

sssd.conf的是:

[domain/example.us]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.us
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = wordpress.example.us
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipadc1.example.us
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = example.us
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

结果ipa dnszone-show example.us --all是:

  dn: idnsname=example.us,cn=dns,dc=example,dc=us
  Zone name: example.us
  Authoritative nameserver: ipadc1.example.us.
  Administrator e-mail address: hostmaster.example.us.
  SOA serial: 1374982142
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.US krb5-self * A; grant EXAMPLE.US krb5-self
                      * AAAA; grant EXAMPLE.US krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
  mxrecord: 0 mail.example.us
  nsrecord: ipadc1.example.us.
  objectclass: top, idnsrecord, idnszone
  txtrecord: v=spf1 a mx -all

虽然这对我来说确实是一个小问题,因为我可以在没有 IPv4 DNS 更新的情况下上线(很高兴成为 100% 双栈),但不知道这里发生了什么仍然很烦人。也许有一些我错过的日志可以说明情况?

(哦,是的,我将其关闭并再次打开。)

centos6

3 个回答

  1. Best Answer

    添加后

    ipa_dyndns_iface = eth0

    在那个pastebin中,我看到sssd将您的IP识别为多播:

    "(Tue Jul 9 10:00:01 2013) [sssd[be[example.us]]] [ok_for_dns] (0x0200): Multicast IPv4 address 172.25.50.227"

    在 Jacob 写的一段代码中,他将测试回送地址、多播地址等而不向 dns 报告,你会发现你的错误:

    if (IN_MULTICAST(ntohl(addr->s_addr))) {
        DEBUG(SSSDBG_FUNC_DATA, ("Multicast IPv4 address %s\n", straddr));
        return false;
    } else if (inet_netof(*addr) == IN_LOOPBACKNET) {
        DEBUG(SSSDBG_FUNC_DATA, ("Loopback IPv4 address %s\n", straddr));
        return false;
    } else if ((addr->s_addr & 0xffff0000) == 0xa9fe0000) {
        /* 169.254.0.0/16 */
        DEBUG(SSSDBG_FUNC_DATA, ("Link-local IPv4 address %s\n", straddr));
        return false;
    } else if (addr->s_addr == htonl(INADDR_BROADCAST)) {
        DEBUG(SSSDBG_FUNC_DATA, ("Broadcast IPv4 address %s\n", straddr));
        return false;
    }
} else {
    DEBUG(SSSDBG_CRIT_FAILURE, ("Unknown address family\n"));
    return false;
}

return true;

    现在的问题是为什么它被识别为“多播地址”我不知道。正如in.h您可以看到的 IN_MULTICAST :

       "IN_MULTICAST(a)" - tests whether a is a multicast address. and it is in "inet.h/in.h":
   #define  IN_CLASSD(i)        (((long)(i) & 0xf0000000) == 0xe0000000)
   #define  IN_MULTICAST(i)     IN_CLASSD(i)

    那么该IP地址如何评估为多播,我将尝试对其进行跟踪并查看。您也可以问 Jacob Hrozek,他编写了那段 sssd 代码。他通常总是在 freenode 上的#sssd 上可用,如果你能分享你最终得到的结果会很棒。希望它有一点帮助。

    编辑

    是的,您的版本 1.9.2 中有一个错误。你有:

      if (IN_MULTICAST(addr->s_addr))) {

    它应该是:

      if (IN_MULTICAST(ntohl(addr->s_addr))) {
    • 9

  2. sssd-ipa(5)手册页:

       ipa_dyndns_iface (string)
       Optional. Applicable only when ipa_dyndns_update is true. Choose the interface whose IP address should be used for dynamic DNS updates.

       Default: Use the IP address of the IPA LDAP connection

    您必须设置ipa_dyndns_ifacein/etc/sssd/sssd.conf以匹配 IPA 服务器的接口,因为默认情况下仅使用指向 IPA 服务器的套接字地址:

    ipa_dyndns_iface = eth0

    这应该启用 IPv4 和 IPv6 的动态更新。

    • 1

  3. 还可以尝试将lookup_family_order设置为非默认值,例如ipv6_first作为测试用例,如果它尝试使用 ipv4,请通知我们。

    • 0

相关问题