We use SSSD to authenticate against a Windows AD/DNS, but DNS scavenging is not turned on. The Windows team wants to turn that on, but the Linux DNS objects are not updating their timestamps on a regular basis. We have ‘dyndns’ settings in our sssd.conf file on each host, but we still have old timestamps. I did find an nsupdate module, but all the examples are for adding or removing an object. I essentially just need to ‘touch’ the Linux objects so the timestamp stays within the DNS scavenge window. Can the nsupdate module be used to do something simple like that?
There aren’t any ‘objects’ in DNS, but there are records. Unfortunately those records don’t have timestamps, so modules like nsupdate aren’t going to be able to do what you want (which is why there is no ‘touch’ operation in that module).
If your AD/DNS admins can describe what actual operation needs to be performed in order to update the timestamp, you may be able to find a way to do it from Ansible. That will of course mean running an Ansible playbook regularly in order to execute that operation.
In addition to what @kpfleming correctly says, it would be possible to add, say, a TXT record with some form of timestamp to an owner (except for CNAME obviously) and “touch” that, but the whole management of that is an excercise I wouldn’t wish to be in charge of …
SSSD can update the dynamic dns records.
The main thing you’ll be interested in is the dyndns_* values, and set the refresh interval and ttl to whatever your AD team requires.
[domain/ad.example.com]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
Edit: I know you said you have that “enabled” yet the records are old, but I can assure you that SSSD should work just fine. You may need to dig a little deeper into why they might be stale.
You could search /var/log/sssd/sssd_ad.example.com.log for ad_dyndns_update_send and follow along to see how far it gets. You should see nsupdate messages that have a -- Begin nsupdate message -- and -- End nsupdate message -- block showing the records being updated.