dnssec failures cause nodes to be unable to resolve external addresses
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
Critical
|
Mike Pontillo |
Bug Description
https:/
MAAS 1.5.4 running on Trusty, fresh default install, the only things we've done are standard config (setting up network, adding DNS forwarder address, and then adding nodes once images were synced).
The problem was that I was unable to resolve addresses using the MAAS DNS forwarder. For example:
ubuntu@
; <<>> DiG 9.9.5-3-Ubuntu <<>> @192.168.1.1 streams.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10035
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;streams.
;; Query time: 0 msec
;; SERVER: 192.168.
;; WHEN: Wed Oct 22 11:32:29 CDT 2014
;; MSG SIZE rcvd: 50
I would get that, and a corresponding error in /var/log/syslog:
Oct 22 11:18:20 utsa-maas named[41376]: error (insecurity proof failed) resolving './NS/IN': 10.241.1.1#53
I believe the real cause is that dnssec-validation is set to auto by default in bind9, and those dnssec queries failed, which caused nodes in the MAAS cluster to be unable to resolve external addresses. This, in turn, caused juju bootstrap to fail:
Setting up libgoogle-
Setting up libsnappy1 (1.1.0-1ubuntu1) ...
Setting up juju-mongodb (2.4.9-0ubuntu3) ...
Processing triggers for libc-bin (2.19-0ubuntu6.3) ...
curl: (6) Could not resolve host: streams.
tools from https:/
Stopping instance...
ERROR rc: 1
After talking about this with Kiko, I set dnssec-validation to no:
dnssec-validation no;
in /etc/bind/
and after restarting bind, external forwarding started working properly.
Related branches
- Gavin Panella (community): Approve
-
Diff: 301 lines (+100/-10)11 files modifiedetc/maas/templates/dns/named.conf.options.inside.maas.template (+2/-0)
src/maasserver/dns/config.py (+11/-1)
src/maasserver/dns/tests/test_config.py (+2/-1)
src/maasserver/forms.py (+1/-0)
src/maasserver/forms_settings.py (+28/-1)
src/maasserver/management/commands/edit_named_options.py (+15/-3)
src/maasserver/models/config.py (+6/-0)
src/maasserver/tests/test_commands_edit_named_options.py (+22/-0)
src/provisioningserver/dns/actions.py (+3/-2)
src/provisioningserver/dns/config.py (+1/-0)
src/provisioningserver/dns/tests/test_actions.py (+9/-2)
- Gavin Panella (community): Approve
-
Diff: 83 lines (+36/-14)2 files modifieddebian/changelog (+5/-0)
debian/maas-dns.postinst (+31/-14)
Changed in maas: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: dns trivial |
Changed in maas: | |
milestone: | none → next |
Changed in maas: | |
milestone: | next → 1.8.0 |
importance: | High → Critical |
Changed in maas: | |
assignee: | nobody → Mike Pontillo (mpontillo) |
Changed in maas: | |
status: | Triaged → In Progress |
Changed in maas: | |
status: | In Progress → Fix Committed |
Changed in maas: | |
status: | Fix Committed → Fix Released |
Did you add upstream DNS in MAAS settings page?