<div dir="ltr"><div><font face="monospace, monospace">OK, thanks.</font></div><div><font face="monospace, monospace">That would be "Dynamic updates", right? Then it is enabled.</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">$ ipa dnszone-show --all</font></div><div><font face="monospace, monospace">Zone name: <a href="http://hq.example.com">hq.example.com</a></font></div><div><font face="monospace, monospace"> dn: idnsname=hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.,cn=dns,dc=hq,dc=</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">,dc=com</font></div><div><font face="monospace, monospace"> Zone name: hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.</font></div><div><font face="monospace, monospace"> Active zone: TRUE</font></div><div><font face="monospace, monospace"> Authoritative nameserver: ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.</font></div><div><font face="monospace, monospace"> Administrator e-mail address: hostmaster.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.</font></div><div><font face="monospace, monospace"> SOA serial: 1427108043</font></div><div><font face="monospace, monospace"> SOA refresh: 3600</font></div><div><font face="monospace, monospace"> SOA retry: 900</font></div><div><font face="monospace, monospace"> SOA expire: 1209600</font></div><div><font face="monospace, monospace"> SOA minimum: 3600</font></div><div><font face="monospace, monospace"> BIND update policy: grant <a href="http://HQ.EXAMPLE.COM">HQ.EXAMPLE.COM</a> krb5-self * A; grant HQ.</font><span style="font-family:monospace,monospace">EXAMPLE</span><font face="monospace, monospace">.COM krb5-self * AAAA; grant HQ.</font><span style="font-family:monospace,monospace">EXAMPLE</span><font face="monospace, monospace">.COM krb5-self * SSHFP;</font></div><div><font face="monospace, monospace"> Dynamic update: TRUE</font></div><div><font face="monospace, monospace"> Allow query: any;</font></div><div><font face="monospace, monospace"> Allow transfer: none;</font></div><div><font face="monospace, monospace"> Allow PTR sync: FALSE</font></div><div><font face="monospace, monospace"> nsrecord: ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.</font></div><div><font face="monospace, monospace"> objectclass: idnszone, top, idnsrecord</font></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 23 March 2015 at 12:27, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 23/03/15 12:19, Roberto Cornacchia
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">BTW, shouldn't named.conf contain an "allow-update"
statement? Mine doesn't. Or is this managed differently?</div>
</blockquote></span>
It is not needed.<br>
bind-dyndb-ldap plugin overrides this configuration, you just need
to enable updates in IPA zone setting.<br>
<br>
Martin<div><div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 23 March 2015 at 12:16, Roberto
Cornacchia <span dir="ltr"><<a href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span>On 23 March 2015
at 10:35, Petr Spacek <span dir="ltr"><<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On
23.3.2015 10:21, Roberto Cornacchia wrote:<br>
> About the DNS update, this is what the
debug log has to say:<br>
><br>
> Found zone name: <a href="http://hq.example.com" target="_blank">hq.example.com</a><br>
> The master is: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a><br>
> start_gssrequest<br>
> Found realm from ticket: <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a><br>
> send_gssrequest<br>
</span>> *; Communication with 192.168.0.72#53
failed: operation canceled*<br>
> *Reply from SOA query:*<br>
<span>> ;; ->>HEADER<<- opcode:
QUERY, status: SERVFAIL, id: 4923<br>
> ;; flags: qr ra; QUESTION: 1, ANSWER: 0,
AUTHORITY: 0, ADDITIONAL: 0<br>
> ;; QUESTION SECTION:<br>
> ;<a href="http://1835417091.sig-ipa.hq.example.com" target="_blank">1835417091.sig-ipa.hq.example.com</a>.
ANY TKEY<br>
><br>
> response to SOA query was unsuccessful<br>
<br>
</span>- Please verify that 192.168.0.72 is the
correct IP address of the FreeIPA server.<br>
</blockquote>
<div><br>
</div>
</span>
<div>Positive</div>
<span>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-
Please check named.logs on the server side to see
if there are any complains<br>
about unsuccessful key negotiation with client.<br>
<br>
</blockquote>
<div><br>
</div>
</span>
<div>I raised named's log level to debug 10 and
restarted</div>
<div>Ran ipa-client-install again.</div>
<div>The log shows many queries from the client, for
A/AAA/SOA record types, both about the server and
the client. All approved, no problem.</div>
<div>The log does not seem to contain a single failure
/ rejection.<br>
</div>
<div><br>
</div>
<div>However: </div>
<div>1) The client reports that response to SOA query
was unsuccessful. The server log does not say
anything about this.</div>
<div>2) The server log does not contain any update
request</div>
<span>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
> Notice that is is *different* from what I got
before the chronyd change.<br>
<span>> Before, there was not even a reply:<br>
><br>
> Found zone name: <a href="http://hq.example.com" target="_blank">hq.example.com</a><br>
> The master is: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a><br>
> start_gssrequest<br>
> Found realm from ticket: <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a><br>
> send_gssrequest<br>
</span>> *; Communication with 192.168.0.72#53
failed: operation canceled*<br>
> *could not reach any name server*<br>
<br>
Interesting, this should not be related to time
synchronization in any way.<br>
DNS server simply did not return any answer.<br>
<span><font color="#888888"><br>
--<br>
Petr^2 Spacek<br>
</font></span>
<div>
<div><br>
--<br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</span></div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote></div><br></div>