community.general
community.general copied to clipboard
ansible-collections
Nsupdate failed to determine right zone if tsig used
SUMMARY
Nsupdate failed to determine right zone if tsig key used and dns server uses split view based on key.
ISSUE TYPE
- Bug Report
COMPONENT NAME
nsupdate
ANSIBLE VERSION
ansible 2.9.11
config file = /tmp/test/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.8/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.8.5 (default, Jul 27 2020, 08:42:51) [GCC 10.1.0]
CONFIGURATION
ANSIBLE_PIPELINING(/tmp/test/ansible.cfg) = True
ANSIBLE_SSH_ARGS(/tmp/test/ansible.cfg) = -o ControlMaster=auto -o ControlPersist=60s
DEFAULT_HOST_LIST(/tmp/test/ansible.cfg) = ['/tmp/test/hosts']
DEFAULT_PRIVATE_KEY_FILE(/tmp/test/ansible.cfg) = /tmp/test/files/keys/ansible.key
DEFAULT_REMOTE_USER(/tmp/test/ansible.cfg) = ansible
INTERPRETER_PYTHON(/tmp/test/ansible.cfg) = auto_silent
RETRY_FILES_ENABLED(/tmp/test/ansible.cfg) = False
OS / ENVIRONMENT
Runner: archlinux with python 3.8.5.
Dns server: bind9 9.11 with split view configured based on tsig key and source ip.
STEPS TO REPRODUCE
./hosts
localhost ansible_connection=local
./group_vars/all/dns.yml
dns_hosts:
- 192.168.0.1
domains:
- domain: example.personaldomain
challenges:
- 0123456789abcdef
./roles/nsupdate/tasks/main.yml
---
- name: Execute nsupdate
nsupdate:
server: "{{ item.0 }}"
record: "_acme-challenge.{{ item.1.domain }}."
type: "TXT"
value: "{{ item.1.challenges }}"
state: "{{ state }}"
key_algorithm: "hmac-sha512"
key_name: "{{ key_name }}"
key_secret: "{{ key_value }}"
loop: "{{ dns_hosts | product(domains) | list }}"
EXPECTED RESULTS
Dns zone update executed
ACTUAL RESULTS
Local result:
failed: [localhost] (item=['192.168.0.1', {'domain': 'example.personaldomain', 'challenges': ['0123456789abcdef']}]) => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "ansible_loop_var": "item", "changed": false, "dns_rc": 9, "dns_rc_str": "NOTAUTH", "item": ["192.168.0.1", {"challenges": ["0123456789abcdef"], "domain": "example.personaldomain"}], "msg": "Failed to create DNS record (rc: 9)"}
Dns log:
client @0x7fc000000000 192.168.0.2#42666/key samplekey: view test1: updating zone 'personaldomain/IN': update failed: not authoritative for update zone (NOTAUTH)
ADDITIONAL INFORMATION
nsupdate.py
...
self.zone = dns.resolver.zone_for_name(self.module.params['record']).to_text()
...
This part of file executed without keyring like in ansible/ansible#63174. So it produce incorrect result, because it will pass to view where zone example.presonaldomain exists and set self.zone to incorrect value example.personaldomain.
If it will use keyring then it would pass to another view where zone is configured in other way so self.zone will be personaldomain. Zone example.personaldomain is not defined in this view at all.
Files identified in the description:
If these files are inaccurate, please update the component name section of the description or use the !component bot command.
Files identified in the description:
If these files are incorrect, please update the component name section of the description or use the !component bot command.