inkblot / puppet-bind

18 stars 82 forks source link

wrong zone is queried #5

Closed schirmacher closed 10 years ago

schirmacher commented 10 years ago

To reproduce the problem, use the configuration file from https://github.com/inkblot/puppet-bind/issues/3.

After applying the configuration to my node s1006 (10.1.1.6), I have two zones in the name server, one has the external and the other the internal ip addresses. This particular configuration updates the external zone.

Now stop bind9, copy /var/cache/bind/example.org-external/example.org to /var/cache/bind/example.org-internal/example.org, edit the www entry to an internal IP address (say 10.1.1.20) and start bind9 again. I have now two different IP addresses for www.example.org. If I query the name server from 10.1.1.6, I will get the internal IP address, but if queried from 10.1.1.3 I will get the external IP address.

(For the production site the ACLs are replaced with 'only internal access' and 'only external access').

After that, change the external ip address for www.example.org in the node configuration and run puppet again. It should replace the old IP address but it doesn't:

root@s1006:~# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb
Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb
Info: Caching catalog for s1006
Info: Applying configuration version '1409737554'
Notice: /Stage[main]/Main/Node[s1006]/Dns_rr[IN/A/www.example.org]/rrdata: rrdata changed ['10.1.1.20'] to '93.184.216.114'
Notice: Finished catalog run in 2.06 seconds

The result is that the external zone file now has both the new entry and the old one. The old one has not been deleted.

The reason for this behavior is, as far as I can tell, a call to dig which queries the internal zone, as per the ACL definitions. However nsupdate has the tsig key as a parameter and therefore updates the external zone.

Fix: dig should use the same tsig parameter as nsupdate.