SSSD supports dynamic DNS (DDNS) and utilizes nsupdate tool for this purpose. To enable/disable DDNS
dyndns_update domain option is used.
When DDNS was enabled, by default the address of LDAP connection was used for the DNS updates. This behaviour has changed in the recent SSSD version. Now all (DNS valid) IPv4 and IPv6 addresses of the network interface (NIC) that is used for LDAP connection are used. This change was introduced mostly to handle use cases when full stack addresses of the client were deleted from the DNS server by the client DNS updates and only a single address (address of LDAP connection) was inserted.
Simple example of DDNS in SSSD:
Network interfaces on IPA client (husker.example.test):
ens9: inet 192.0.2.11/24 scope global inet6 2001:DB8::11/96 scope global inet6 fe80::5054:ff:fe8a:4999/64 scope link eth1: inet 198.51.100.11/24 scope global inet 198.51.100.12/24 scope global secondary eth1 inet6 2001:DB8:1::11/96 scope global inet6 2001:DB8:1::12/96 scope global inet6 fe80::5054:ff:fe2d:90b/64 scope link
Configure and restart SSSD
husker # grep dyndns_update /etc/sssd/sssd.conf dyndns_update = True husker # sudo systemctl restart sssd
Query address of IPA client (husker) on IPA server:
ipa-server $ dig A husker.example.test +short 192.0.2.11 ipa-server $ dig AAAA husker.example.test +short 2001:DB8::11
To handle use-cases when IPs from more than one NIC should be used, the domain option
dyndns_iface was updated to accept not just one name of interface but also to accept a comma separated list of interface names. Also a special value
* was introduced to imply that all host interfaces should be considered.
Use all NICs on husher
husker # grep dyndns_iface /etc/sssd/sssd.conf dyndns_iface = * husker # sudo systemctl restart sssd
Query addresses of IPA client (husker):
ipa-server $ dig A husker.example.test +short 192.0.2.11 198.51.100.11 198.51.100.12 ipa-server $ dig AAAA husker.example.test +short 2001:DB8::11 2001:DB8:1::11 2001:DB8:1::12
dyndns_iface‘s special value
In previous paragraphs the term DNS valid address was mentioned. Addresses that are multicast, loop-back, link-local and broadcast are not usable for DNS, and thus are ignored by SSSD. This kind of events are logged in the SSSD domain log file if
debug_level is equal or above SSSDBG_TRACE_LIBS (7).
husker $ grep 'check_ipv_addr' sssd_ipa.work.log [check_ipv4_addr] (0x0200): Loopback IPv4 address 127.0.0.1 [check_ipv6_addr] (0x0200): Loopback IPv6 address ::1 [check_ipv6_addr] (0x0200): Link local IPv6 address fe80::5054:ff:fe2d:90b
Hints for testing DDNS
Nsupdate tool can be run directly from command line.
nsupdate -o msg
msgis a file containing the message used for the DNS update and switch
-omakes nsupdate to use same kerberos credentials as SSSD. Message that SSSD uses for update is logged in the domain log file (debug_level option have to be at least equal to SSSDBG_TRACE_FUNC (6)). An example of the relevant part of log follows:
-- Begin nsupdate message -- realm EXAMPLE.TEST update delete husker.example.test. in A send update delete husker.example.test. in AAAA send update add husker.example.test. 1200 in AAAA 2001:DB8::11 update add husker.example.test. 1200 in AAAA 2001:DB8:1::11 update add husker.example.test. 1200 in AAAA 2001:DB8:1::12 update add husker.example.test. 1200 in A 192.0.2.11 update add husker.example.test. 1200 in A 198.51.100.11 update add husker.example.test. 1200 in A 198.51.100.12 send -- End nsupdate message --
Check that appropriate domain zone is created on server
ipa-server $ ipa dnszone-show example.test. Zone name: example.test. ...
Dynamic update is enabled on server
Check bind update policy on ipa server.
For debugging purposes only you might add rule
"grant * wildcard *;"