<div dir="ltr">Thank you, dump sent privately</div><div class="gmail_extra"> <div class="gmail_quote">On 23 March 2015 at 13:33, Petr Spacek <<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 23.3.2015 12:33, Roberto Cornacchia wrote: > OK, thanks. > That would be "Dynamic updates", right? Then it is enabled. > > $ ipa dnszone-show --all > Zone name: <a href="http://hq.example.com" target="_blank">hq.example.com</a> > dn: idnsname=<a href="http://hq.example.com" target="_blank">hq.example.com</a>.,cn=dns,dc=hq,dc=example,dc=com > Zone name: <a href="http://hq.example.com" target="_blank">hq.example.com</a>. > Active zone: TRUE > Authoritative nameserver: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a>. > Administrator e-mail address: <a href="http://hostmaster.hq.example.com" target="_blank">hostmaster.hq.example.com</a>. > SOA serial: 1427108043 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a> krb5-self * A; grant <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a> > krb5-self * AAAA; grant <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a> krb5-self * SSHFP; > Dynamic update: TRUE This is correct (but it should not affect SOA query anyway). Could you share named logs on debug level 10 with us? It would be even better is you could provide us tcpdump with transactions in question. On the client (before you start installation) please: 1) Execute command $ tcpdump -i any -w /tmp/dns.pcap 'port 53' 2) Run ipa-client-install 3) Kill the tcpdump: $ pkill tcpdump 4) Send us the file. Feel free to send the files to me (<a href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>) and Martin^2 (<a href="mailto:mbasti@redhat.com">mbasti@redhat.com</a>) privately if you do not want to make them public. Have a nice day! Petr^2 Spacek <div class="HOEnZb"><div class="h5"> > Allow query: any; > Allow transfer: none; > Allow PTR sync: FALSE > nsrecord: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a>. > objectclass: idnszone, top, idnsrecord > > > On 23 March 2015 at 12:27, Martin Basti <<a href="mailto:mbasti@redhat.com">mbasti@redhat.com</a>> wrote: > >> On 23/03/15 12:19, Roberto Cornacchia wrote: >> >> BTW, shouldn't named.conf contain an "allow-update" statement? Mine >> doesn't. Or is this managed differently? >> >> It is not needed. >> bind-dyndb-ldap plugin overrides this configuration, you just need to >> enable updates in IPA zone setting. >> >> Martin >> >> >> >> On 23 March 2015 at 12:16, Roberto Cornacchia < >> <a href="mailto:roberto.cornacchia@gmail.com">roberto.cornacchia@gmail.com</a>> wrote: >> >>> >>> >>> On 23 March 2015 at 10:35, Petr Spacek <<a href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>> wrote: >>> >>>> On 23.3.2015 10:21, Roberto Cornacchia wrote: >>>>> About the DNS update, this is what the debug log has to say: >>>>> >>>>> Found zone name: <a href="http://hq.example.com" target="_blank">hq.example.com</a> >>>>> The master is: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a> >>>>> start_gssrequest >>>>> Found realm from ticket: <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a> >>>>> send_gssrequest >>>>> *; Communication with 192.168.0.72#53 failed: operation canceled* >>>>> *Reply from SOA query:* >>>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4923 >>>>> ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 >>>>> ;; QUESTION SECTION: >>>>> ;<a href="http://1835417091.sig-ipa.hq.example.com" target="_blank">1835417091.sig-ipa.hq.example.com</a>. ANY TKEY >>>>> >>>>> response to SOA query was unsuccessful >>>> >>>> - Please verify that 192.168.0.72 is the correct IP address of the >>>> FreeIPA server. >>>> >>> >>> Positive >>> >>> >>>> - Please check named.logs on the server side to see if there are any >>>> complains >>>> about unsuccessful key negotiation with client. >>>> >>>> >>> I raised named's log level to debug 10 and restarted >>> Ran ipa-client-install again. >>> The log shows many queries from the client, for A/AAA/SOA record types, >>> both about the server and the client. All approved, no problem. >>> The log does not seem to contain a single failure / rejection. >>> >>> However: >>> 1) The client reports that response to SOA query was unsuccessful. The >>> server log does not say anything about this. >>> 2) The server log does not contain any update request >>> >>> >>>>> Notice that is is *different* from what I got before the chronyd >>>> change. >>>>> Before, there was not even a reply: >>>>> >>>>> Found zone name: <a href="http://hq.example.com" target="_blank">hq.example.com</a> >>>>> The master is: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a> >>>>> start_gssrequest >>>>> Found realm from ticket: <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a> >>>>> send_gssrequest >>>>> *; Communication with 192.168.0.72#53 failed: operation canceled* >>>>> *could not reach any name server* >>>> >>>> Interesting, this should not be related to time synchronization in any >>>> way. >>>> DNS server simply did not return any answer. >>>> >>>> -- >>>> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </div></div></blockquote></div> </div>