First Last Prev Next    This bug is not in your last search results.
Bug 40393 - Check DNS nameserver entries at forward zones
Check DNS nameserver entries at forward zones
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - System diagnostic
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Lukas Oyen
Stefan Gohmann
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-08 08:01 CET by Stefan Gohmann
Modified: 2017-09-20 15:03 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
oyen: Patch_Available+

Attachments
40393-diagostic-check-nameservers-420.patch (11.77 KB, patch)
2017-06-22 16:50 CEST, Lukas Oyen 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2016-01-08 08:01:19 CET 
The DNS forward zones name server entries should be checked. See http://sdb.univention.de/1273 and I had a support case where a DNS alias was set as nameserver:

Jan  7 21:38:06 ucs named[9576]: received control channel command 'reload domain.de'
Jan  7 21:38:06 ucs named[9557]: zone domain.de/IN: NS 'test.domain.de' is a CNAME (illegal)
Jan  7 21:38:06 ucs named[9557]: zone domain.de/IN: not loaded due to errors.
Jan  7 21:38:07 ucs named[9576]: zone domain.de/IN: refresh: unexpected rcode (SERVFAIL) from master 127.0.0.1#7777 (source 0.0.0.0#0)
Comment 1 Lukas Oyen univentionstaff 2017-06-22 16:50:35 CEST 
Created attachment 8954 [details]
40393-diagostic-check-nameservers-420.patch

This new check `check_nameserver.py` examines all `nameserver` entries of all `dns/{forword,reverse}_zone`s. If the nameserver is within the UCS domain, but no UDM host-record can be found a Warning is shown. If an UDM alias-record is found instead of a host-record a Warning is shown.

If the nameserver is not within the UCS domain, a DNS lookup is performed and a Warning shown, if no address can be resolved.
Comment 2 Lukas Oyen univentionstaff 2017-08-01 16:32:32 CEST 
Committed in r81626 - r81627 (advisory r81649).
Comment 3 Florian Best univentionstaff 2017-08-01 18:55:11 CEST 
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute
    result = execute(umc_module, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_nameservers.py", line 229, in run
    ed.extend(str(error) for error in group)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_nameservers.py", line 229, in 
    ed.extend(str(error) for error in group)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_nameservers.py", line 212, in find_all_zone_problems
    for error in udm.check_zone(zone):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_nameservers.py", line 192, in check_zone
    record = self.find(nameserver)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_nameservers.py", line 171, in find
    filter_expression = nameserver.build_filter()
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_nameservers.py", line 154, in build_filter
    return '(|{})'.format(''.join(expressions))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_nameservers.py", line 152, in 
    expressions = (ldap.filter.filter_format(template, (rdn, zn))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/check_nameservers.py", line 144, in _generate_splits
    (rdn, zn) = zn.split('.', 1)
ValueError: need more than 1 value to unpack
Comment 4 Lukas Oyen univentionstaff 2017-08-02 15:14:49 CEST 
r81708: fix ValueError in check_nameservers

I think this fixes the error, otherwise I would need some more information to debug it.
Comment 5 Florian Best univentionstaff 2017-08-02 16:43:36 CEST 
Yes, the ValueError is gone.
Comment 6 Stefan Gohmann univentionstaff 2017-09-10 14:30:50 CEST 
The check fails in AD member mode. See for example:

http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-2/job/ADMemberMultiEnv/1/Mode=installation,Version=w2k8r2-english/testReport/00_checks/81_diagnostic_checks/test/

[2017-09-08 21:52:03.767242] E     Exception: ###############
[2017-09-08 21:52:03.767314] E     Nameserver sind nicht ansprechbar
[2017-09-08 21:52:03.767391] E     1 der konfigurierten Nameserver anworten nicht auf DNS-Anfragen.
[2017-09-08 21:52:03.767491] E     Bitte sicherstellen, dass die DNS-Einstellungen in {setup:network} korrekt konfiguriert sind.
[2017-09-08 21:52:03.767572] E     Falls das Problem bestehen bleibt stellen Sie sicher, dass der Nameserver mit dem Netzwerk verbunden ist und die DNS-Forwarder das Internet erreichen können (www.univention.de).
[2017-09-08 21:52:03.767650] E     
[2017-09-08 21:52:03.767727] E     Der Nameserver 10.210.55.103 (UCR Variable 'nameserver1') ist nicht ansprechbar:
[2017-09-08 21:52:03.767802] E     ###############
Comment 7 Lukas Oyen univentionstaff 2017-09-11 17:21:51 CEST 
I am unable to reproduce. Also: Jenkins is happy again.
Comment 8 Stefan Gohmann univentionstaff 2017-09-11 17:29:32 CEST 
(In reply to Lukas Oyen from comment #7)
> I am unable to reproduce. Also: Jenkins is happy again.

I guess because I disabled the plugin:

https://git.knut.univention.de/univention/ucs/commit/97d5e6b935cd119c20fb3b7ef6c6e99c940e2907

 97d5e6b9
 by Stefan Gohmann at 2017-09-10T14:53:35+02:00
* 00_checks/81_diagnostic_checks.py: disable 11_nameserver check since
  it doesn't work in AD member setup (Bug #40393)
* 20_appcenter/100_settings.py: Skip test in admember setup
  (Bug #45377)
* 55_adconnector/502_other_attribute_sync.py: Skip test case in AD
  member mode (Bug #36480)

Sorry, I didn't add a comment for it at this bug.
Comment 9 Lukas Oyen univentionstaff 2017-09-11 17:38:35 CEST 
(In reply to Stefan Gohmann from comment #8)
> I guess because I disabled the plugin:
> 
> https://git.knut.univention.de/univention/ucs/commit/
> 97d5e6b935cd119c20fb3b7ef6c6e99c940e2907

Right, but this bug is for 20_check_nameservers.py, not 11_nameserver.py (the one that fails).

11_nameserver.py checks the UCR variables 'dns/forwarder1', 'dns/forwarder2', 'dns/forwarder3', 'nameserver1', 'nameserver2', 'nameserver3'.

20_check_nameservers.py checks all UDM 'dns/forward_zone', 'dns/reverse_zone'.
Comment 10 Stefan Gohmann univentionstaff 2017-09-19 20:28:10 CEST 
(In reply to Lukas Oyen from comment #9)
> (In reply to Stefan Gohmann from comment #8)
> > I guess because I disabled the plugin:
> > 
> > https://git.knut.univention.de/univention/ucs/commit/
> > 97d5e6b935cd119c20fb3b7ef6c6e99c940e2907
> 
> Right, but this bug is for 20_check_nameservers.py, not 11_nameserver.py
> (the one that fails).
> 
> 11_nameserver.py checks the UCR variables 'dns/forwarder1',
> 'dns/forwarder2', 'dns/forwarder3', 'nameserver1', 'nameserver2',
> 'nameserver3'.
> 
> 20_check_nameservers.py checks all UDM 'dns/forward_zone',
> 'dns/reverse_zone'.

Yes, you are right.

YAML: OK

Tests: OK, it looks good now.
Comment 11 Erik Damrose univentionstaff 2017-09-20 15:03:47 CEST 
<http://errata.software-univention.de/ucs/4.2/166.html>
First Last Prev Next    This bug is not in your last search results.