Bug 43511 – Check DNS resolving $repository/online/server

Bug 43511 - Check DNS resolving $repository/online/server


Summary:	Check DNS resolving $repository/online/server

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Monitoring (Prometheus or Nagios)
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:	43217
Blocks:
	Show dependency tree / graph

Reported:	2017-02-07 16:37 CET by Philipp Hahn
Modified:	2020-07-03 20:51 CEST (History)
CC List:	3 users (show)

See Also:	43618
What kind of report is it?:	Feature Request
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2017-02-07 16:37:14 CET

+++ This bug was initially created as a clone of Bug #43217 +++
(In reply to Philipp Hahn from Bug #43217 comment #8)
> (In reply to Stefan Gohmann from #43217 comment #7)
> > (In reply to Stefan Gohmann from #43217 comment #4)
> > > The other problem. What happens if we configure bind0 to be broken after an
> > > update? Previously, our update server was still reachable since we have the
> > > forwarder as second nameserver configured.
> > 
> > Maybe, we can solve this by adding a static entry for
> > updates.software-univention.de (IPv4 + IPv6).
> 
> As discussed this has multiple aspects:
> 1. we don't want to hard-code their addresses, as DNS can be updated more
> easily than shipped packages. We also will hopefully get a 2nd ftp server
> soon.
> 2. UCS is using "hosts: files dns" in /etc/nsswitch.conf, adding the IPs to
> /etc/hosts would prevent any DNS lookup for them; "dns files" would solve
> this, but would breaks using the hostname (or the hostname of the DC master)
> while DNS is down. We would need a "files.fallback"...
> 3. Before UCS-4.0, only UCS DNS servers were used in UCRVs 'nameserverX' and
> external DNS servers in UCRVs 'dns/forwarderY' - the change was only
> introduced with the switch-over to the Debian-Installer (and
> Univention-System-Setup) with UCS-4.0. But we don't know if it is so on
> every system.
> 4. Fact: Using mixed UCS domain DNS servers and external DNS servers in UCRV
> nameserverX is wrong - this lead to multiple problems in the past:
>    - univention-dhcp no longer starts
>    - while the UCS named is down, any query will get a negative answer from
> the external fallback DNS server, which is cached by nscd. So even after the
> restart is completed, the cache is poisoned...
>    - ...
> Ideas for mitigation:

- write a Nagios check/UCS diagnostics module to check for working $(repository/online/server) DNS resolving and connection

> - Check for working named on start/network-up and fall back to static IP
> addresses if DNS does not work
> - Tell users to do a "ucr set nameserver1=8.8.8.8 ; apt-get update ; apt-get
> upgrade" to get back a working BIND if things go wrong badly.
> - Add a fallback to a static configuration in the updater if DNS does not
> work; APT would need to use the same faked DNS as well...
> - ...

Comment 1 Ingo Steuwer

2020-07-03 20:51:31 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.