search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
825 stars 1.53k forks source link

Nsupdate failed to determine right zone if tsig used #749

Open AKorezin opened 4 years ago

AKorezin commented 4 years ago
SUMMARY

Nsupdate failed to determine right zone if tsig key used and dns server uses split view based on key.

ISSUE TYPE
COMPONENT NAME

nsupdate

ANSIBLE VERSION
ansible 2.9.11
  config file = /tmp/test/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.5 (default, Jul 27 2020, 08:42:51) [GCC 10.1.0]
CONFIGURATION
ANSIBLE_PIPELINING(/tmp/test/ansible.cfg) = True
ANSIBLE_SSH_ARGS(/tmp/test/ansible.cfg) = -o ControlMaster=auto -o ControlPersist=60s
DEFAULT_HOST_LIST(/tmp/test/ansible.cfg) = ['/tmp/test/hosts']
DEFAULT_PRIVATE_KEY_FILE(/tmp/test/ansible.cfg) = /tmp/test/files/keys/ansible.key
DEFAULT_REMOTE_USER(/tmp/test/ansible.cfg) = ansible
INTERPRETER_PYTHON(/tmp/test/ansible.cfg) = auto_silent
RETRY_FILES_ENABLED(/tmp/test/ansible.cfg) = False
OS / ENVIRONMENT

Runner: archlinux with python 3.8.5. Dns server: bind9 9.11 with split view configured based on tsig key and source ip.

STEPS TO REPRODUCE

./hosts

localhost ansible_connection=local

./group_vars/all/dns.yml

dns_hosts:
  - 192.168.0.1
domains:
  - domain: example.personaldomain
    challenges:
      - 0123456789abcdef

./roles/nsupdate/tasks/main.yml

---
- name: Execute nsupdate
  nsupdate:
    server: "{{ item.0 }}"
    record: "_acme-challenge.{{ item.1.domain }}."
    type: "TXT"
    value: "{{ item.1.challenges }}"
    state: "{{ state }}"
    key_algorithm: "hmac-sha512"
    key_name: "{{ key_name }}"
    key_secret: "{{ key_value }}"
  loop: "{{ dns_hosts | product(domains) | list }}"
EXPECTED RESULTS

Dns zone update executed

ACTUAL RESULTS

Local result:

failed: [localhost] (item=['192.168.0.1', {'domain': 'example.personaldomain', 'challenges': ['0123456789abcdef']}]) => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "ansible_loop_var": "item", "changed": false, "dns_rc": 9, "dns_rc_str": "NOTAUTH", "item": ["192.168.0.1", {"challenges": ["0123456789abcdef"], "domain": "example.personaldomain"}], "msg": "Failed to create DNS record (rc: 9)"}

Dns log:

client @0x7fc000000000 192.168.0.2#42666/key samplekey: view test1: updating zone 'personaldomain/IN': update failed: not authoritative for update zone (NOTAUTH)
ADDITIONAL INFORMATION

nsupdate.py

...
self.zone = dns.resolver.zone_for_name(self.module.params['record']).to_text()
...

This part of file executed without keyring like in ansible/ansible#63174. So it produce incorrect result, because it will pass to view where zone example.presonaldomain exists and set self.zone to incorrect value example.personaldomain.

If it will use keyring then it would pass to another view where zone is configured in other way so self.zone will be personaldomain. Zone example.personaldomain is not defined in this view at all.

ansibullbot commented 4 years ago

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 4 years ago

cc @nerzhul click here for bot help

ansibullbot commented 1 year ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help