Including innapropriate IPv6 addresses in dyndns_update

[Window-Hero]

Tested in version 2.8.2

SSSD is including IPv6 addresses marked deprecated via dyndns_update, so when a host's prefix changes, both the old and new address are included in the update, causing the DNS server to sometimes distribute the deprecated address, preventing connectivity. I have not tested if it also erroneously includes addresses marked temporary, because all of my domain joined machines currently have this disabled, however I am concerned it may do this as well.

I found the related bug 1991 from a much older version, where even link local addresses were being included. Fortunately that issue is no longer present.

I found the related issue 5662 where because address changes do not result in an interface drop, they do not trigger dyndns_update. This is obviously a different issue, but it also causes IPv6 addressing information in the DC to be inaccurate, it just has eventual consistency.

[thalman]

Hello @Window-Hero , thanks for the report.

I checked the code and I can confirm that you are right. SSSD does not check the status of assigned addresses.

This is not hard to fix. We should exclude addresses with the flags IFA_F_DEPRECATED, IFA_F_TEMPORARY or IFA_F_TENTATIVE.

[Window-Hero]

I don't know why I didn't get my email notification for this. Thank you for looking into that. I believe the correct logic (at least from my understanding of best practices) would be that there is a hierarchy, where it excludes those addresses if the interface has an address without those flags, but will select an address with one of those flags if no other address is available.

[thalman]

You are definitely right regarding creating new connections. But in my opinion for the DNS update use-case we should simply avoid those addresses.

[andreboscatto]

For internal tracking purposes https://issues.redhat.com/browse/IDM-3235

[thalman]

Hello @Window-Hero, I wrote a fix (#8142), can you try it eventually?

[Window-Hero]

Wasn't able to get that to build in Debian Trixie, was able to get it to build in Fedora 42. Still seeing it pushing deprecated addresses.

For reference on my testing methodology, I created a fresh VM, created a testing VLAN, cloned your branch, built your branch following the process described here, installed freeipa-client and joined the machine with ipa-client-install --enable-dns-updates (which to our concern just sets dyndns_update = True and dyndns_iface = [INTERFACE] in the sssd config). Then I made sure it was updating the AAAA records in FreeIPA, rotated the IPv6 prefix being advertised on the testing VLAN, confirmed the testing VM had picked up the new IPv6 address and marked the old one deprecated, and restarted SSSD. Both addresses where listed as AAAA records in FreeIPA. I forcibly deleted these records and restarted SSSD again and it still wrote both records. I rotated the prefix again and tested again, and all three records are still being written.

[thalman]

Thanks @Window-Hero for testing. I updated the PR and fixed few things. I was able to test it partially. I would really appreciate if you can test it as well.

[Window-Hero]

@thalman That seems to have solved it in my testing. Thank you.