URL: https://github.com/SSSD/sssd/pull/66 Title: #66: Minor Dynamic DNS fixes
justin-stephenson commented: """ @fidencio No problem, thanks for looking into this.
1. Once the DNS role is installed, create a Reverse Zone in the AD DNS MMC(right click Reverse-Lookup zones and click New Zone) 2. The idea is that SSSD will create the forward A and reverse zone PTR records when nsupdate gets called, the testing of this PR would be done with no existing PTR record for this SSSD system. 3. Yes it is checked, I believe this checkbox only tells AD the update the IP address of the PTR record when the forward A record address is manually updated but this checkbox should not be relevant when there is no existing PTR record 3.1) Yes, because the problem is nsupdate will still not create the Reverse PTR record when the TSIG error is encountered 4. Sorry, I don't quite follow this last question.
The root problem here is actually that the error `TSIG error with server: tsig verify failure` can happen within nsupdate code even when the A/AAAA record is successfully added. When this happens, the nsupdate child process returns non-zero which causes SSSD to consider it a failure and abort the PTR record update operation. I believe there are various reasons which can cause the error mentioned above but I was able to reproduce one of them with the reproducer steps mentioned here in the PR.
This fix will ignore the non-zero update and try to update the PTR record regardless of the nsupdate return code. I am planning on submitting a bug to nsupdate to address the root issue of why we have the TSIG error but in the meantime I think it would be useful to make SSSD more capable of handling updates even when there are errors which could happen with nsupdate.
Actually, the ticket **https://fedorahosted.org/sssd/ticket/3227** has a comment from pspacek `If the update failed, the records will be incorrect in any case. Personally I think we should try to update all record types and let admins to deal with potential inconsistencies. `
Sorry for the long comment, feel free to continue the discussion on IRC or if you have any questions let me know. Thank you @fidencio ! """
See the full comment at https://github.com/SSSD/sssd/pull/66#issuecomment-281097299