<div dir="ltr"><div><div><div><div>The reason I hit this issue was because I am testing out a setup where ldap etc are running on a private subnet but is hosting public zones.<br></div>Therefor I change the nameservers of these zones and the primary nameserver soa record to a public reachable hostname.<br></div><br></div>I agree this is no issue for the majority of users. <br><br></div><div>There already is a warning in the UI and IPA CLI. It might be good to add an extra line to this warning regarding the fake_mname, altought this might also cause confusion.<br><br></div><div>Regards,<br><br></div><div>David<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-08-20 15:09 GMT+02:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<br>
<br>
<div>On 08/20/2015 02:46 PM, David
Dejaeghere wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>confirmed working.<br>
</div>
Does this default value make any sense if this value is
changeable in the UI and using the IPA client?<br>
<br>
</div>
Kind Regards,<br>
<br>
</div>
David<br>
</div>
</blockquote>
<br></span>
IMHO (I'm not 100% sure)<br>
<br>
IPA DNS are master servers, which contains only authoritative zones.<br>
Each DNS server contains the same copy of zones synchronized with
LDAP database, and each server is authoritative for that zone
(multimaster DNS topology).<br>
So there is no reason to have listed different server than IPA DNS
as authoritative servers.<br>
<br>
This works for majority users.<br>
<br>
This also works as fallback (on local network only without caching)
when one replica is down, the one of IPA DNS servers left, may act
as authoritative servers (primary master for DDNS).<br>
<br>
I agree that this is tricky (I forgot about fake_mname too) for
users who want to change it, we may show warning for user or somehow
let him know that fake_mname is used.<span class="HOEnZb"><font color="#888888"><br>
<br>
Martin</font></span><div><div class="h5"><br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-08-20 14:38 GMT+02:00 Martin Basti
<span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span> <br>
<br>
<div>On 08/20/2015 02:35 PM, David Dejaeghere wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>Aha,<br>
<br>
</div>
Correct. But i never set this. This option
seems to be set by default.<br>
</div>
I verified this issue on multiple installs. It
seems they all have this option set by
default?<br>
<br>
</div>
Can i safely change named.conf without fearing
my modifications will be lost on an update?<br>
<br>
</div>
Kind Regards,<br>
<br>
</div>
David<br>
</div>
</blockquote>
</span> (Adding freeipa-users back)<br>
<br>
I checked code, it is default.<br>
<br>
You can change named.conf, upgrade will not replace it.<span><font color="#888888"><br>
<br>
Martin</font></span>
<div>
<div><br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-08-20 14:32
GMT+02:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank"></a><a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>
<div> <br>
<div>On 08/20/2015 02:22 PM, Martin
Basti wrote:<br>
</div>
<blockquote type="cite"> <br>
<br>
<div>On 08/20/2015 01:48 PM, David
Dejaeghere wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>Hi,<br>
<br>
</div>
I noticed that changing
the authoritarive
nameserver in FreeIPA
reflects correctly to its
directory data but bind
will not resolve the soa
record with the updated
mname details.<br>
<br>
</div>
For example I add a zone <a href="http://test.be" target="_blank">test.be</a>
and change the mname record.<br>
<br>
[root@ns02 ~]# ipa
dnszone-add<br>
Zone name: <a href="http://test.be" target="_blank">test.be</a><br>
Zone name: <a href="http://test.be" target="_blank">test.be</a>.<br>
Active zone: TRUE<br>
<b> Authoritative
nameserver: <a href="http://ns02.tokiogroup.be" target="_blank">ns02.tokiogroup.be</a>.</b><br>
Administrator e-mail
address: hostmaster<br>
SOA serial: 1440070999<br>
SOA refresh: 3600<br>
SOA retry: 900<br>
SOA expire: 1209600<br>
SOA minimum: 3600<br>
BIND update policy: grant
<a href="http://TOKIOGROUP.BE" target="_blank">TOKIOGROUP.BE</a>
krb5-self * A; grant <a href="http://TOKIOGROUP.BE" target="_blank">TOKIOGROUP.BE</a>
krb5-self * AAAA; grant <a href="http://TOKIOGROUP.BE" target="_blank">TOKIOGROUP.BE</a>
krb5-self *<br>
SSHFP;<br>
Dynamic update: FALSE<br>
Allow query: any;<br>
Allow transfer: none;<br>
[root@ns02 ~]# ipa
dnszone-mod --nameserver<br>
anaconda-ks.cfg
.bash_logout
.bashrc
.ipa/ .ssh/<br>
.bash_history
.bash_profile
.cshrc
.pki/ .tcshrc<br>
<br>
<br>
[root@ns02 ~]# ipa
dnszone-mod --name-server<b>
<a href="http://ns7.tokiogroup.be" target="_blank">ns7.tokiogroup.be</a></b>.<br>
Zone name: <a href="http://test.be" target="_blank">test.be</a><br>
ipa: WARNING: Semantic of
setting Authoritative
nameserver was changed. It
is used only for setting the
SOA MNAME attribute.<br>
NS record(s) can be edited
in zone apex - '@'.<br>
Zone name: <a href="http://test.be" target="_blank">test.be</a>.<br>
Active zone: TRUE<br>
<b>Authoritative
nameserver: <a href="http://ns7.tokiogroup.be" target="_blank">ns7.tokiogroup.be</a>.</b><br>
Administrator e-mail
address: hostmaster<br>
SOA serial: 1440071001<br>
SOA refresh: 3600<br>
SOA retry: 900<br>
SOA expire: 1209600<br>
SOA minimum: 3600<br>
Allow query: any;<br>
Allow transfer: none;<br>
<br>
<br>
[root@ns02 ~]# nslookup<br>
> set q=SOA<br>
> <a href="http://test.be" target="_blank">test.be</a><br>
Server: 127.0.0.1<br>
Address: 127.0.0.1#53<br>
<br>
<a href="http://test.be" target="_blank">test.be</a><br>
<b> origin = <a href="http://ns02.tokiogroup.be" target="_blank">ns02.tokiogroup.be</a></b><br>
mail addr = <a href="http://hostmaster.test.be" target="_blank">hostmaster.test.be</a><br>
serial = 1440071001<br>
refresh = 3600<br>
retry = 900<br>
expire = 1209600<br>
minimum = 3600<br>
<br>
</div>
As you can see the SOA record
still shows the original
default value.<br>
<br>
</div>
Kind Regards,<br>
<br>
</div>
David Dejaeghere<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
Thank you for this bug report.<br>
I opened bind-dyndb-ldap ticket <a href="https://fedorahosted.org/bind-dyndb-ldap/ticket/159" target="_blank"></a><a href="https://fedorahosted.org/bind-dyndb-ldap/ticket/159" target="_blank">https://fedorahosted.org/bind-dyndb-ldap/ticket/159</a><br>
<br>
Martin<br>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
I maybe found why do you have this issue,<br>
<br>
do you have fake_mname configured in
bind_dyndb_ldap section of named.conf?<br>
If yes then remove this option to use SOA
MNAME from LDAP.<span><font color="#888888"><br>
<br>
Martin<br>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>