Delzone fails when not authorative and using caching/forwarding DNS servers

Bug #1756329 reported by Crazik on 2018-03-16
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Designate
High
Unassigned

Bug Description

Designate verifies operations on zones via SOA query.
When I use dns servers as resolvers and domain exists on different authorative dns servers, I cannot delete domain at my installation.

Scenario:

1. I have domain on my designate + bind servers
2. I want to migrate domain to other provider, so I'm creating configuration on new resolvers, and migrate NS entries at domain registry.
3. Next day: I'm removing domain from my designate

- bind gets 'delzone' command
- bind removes my zone
- designate checks for SOA record
- bind returns new SOA record (taken from my new resolvers for domain)

4. zone stucks with "ERROR" status and action "DELETE"

Workaround: deny access for forward/cache on bind servers for designate nodes.

Conclusion: need a better verification, not only for SOA record, but also for its content.

Graham Hayes (grahamhayes) wrote :

We should add a section in the docs (in https://docs.openstack.org/designate/latest/admin/production-guidelines.html) to point out you need to turn off the recursion

tags: added: docs low-hanging-fruit
Changed in designate:
importance: Undecided → High
Changed in designate:
status: New → Triaged
David O Neill (dmzoneill) wrote :

Bind won't stop you from creating and deleting domains that already exist upstream.

openstack zone create ubuntu.com. --email <email address hidden>
openstack zone delete <uuid>

However, the post cleanup will fail in designate.
It will give you an error in that bind is not 'SOA' (Start of Authority record) for a given domain.

"Failed to get expected response while trying to send 'SOA' for 'ubuntu.com.' to '10.218.5.38:53'."

In other wards do 'nslookup <domain>' prior to creating the domain or you will need to delete it manually from the database;

use deignate;
select * from zones where name like '%ubuntu%';

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers