<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 08/20/2015 03:14 PM, David
Dejaeghere wrote:<br>
</div>
<blockquote
cite="mid:CAO9DwO_jTZm71ADXRUbrY9-kBLFZDD=njXK-T8XsvdrHtz6NDQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>The reason I hit this issue was because I am testing
out a setup where ldap etc are running on a private
subnet but is hosting public zones.<br>
</div>
Therefor I change the nameservers of these zones and the
primary nameserver soa record to a public reachable
hostname.<br>
</div>
<br>
</div>
I agree this is no issue for the majority of users. <br>
<br>
</div>
<div>There already is a warning in the UI and IPA CLI. It might
be good to add an extra line to this warning regarding the
fake_mname, altought this might also cause confusion.<br>
<br>
</div>
<div>Regards,<br>
<br>
</div>
<div>David<br>
</div>
</div>
</blockquote>
<br>
I agree, ticket filed: <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/5241">https://fedorahosted.org/freeipa/ticket/5241</a><br>
<blockquote
cite="mid:CAO9DwO_jTZm71ADXRUbrY9-kBLFZDD=njXK-T8XsvdrHtz6NDQ@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-08-20 15:09 GMT+02:00 Martin Basti
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class=""> <br>
<br>
<div>On 08/20/2015 02:46 PM, David Dejaeghere wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>confirmed working.<br>
</div>
Does this default value make any sense if this
value is changeable in the UI and using the IPA
client?<br>
<br>
</div>
Kind Regards,<br>
<br>
</div>
David<br>
</div>
</blockquote>
<br>
</span> IMHO (I'm not 100% sure)<br>
<br>
IPA DNS are master servers, which contains only
authoritative zones.<br>
Each DNS server contains the same copy of zones
synchronized with LDAP database, and each server is
authoritative for that zone (multimaster DNS topology).<br>
So there is no reason to have listed different server than
IPA DNS as authoritative servers.<br>
<br>
This works for majority users.<br>
<br>
This also works as fallback (on local network only
without caching) when one replica is down, the one of IPA
DNS servers left, may act as authoritative servers
(primary master for DDNS).<br>
<br>
I agree that this is tricky (I forgot about fake_mname
too) for users who want to change it, we may show warning
for user or somehow let him know that fake_mname is used.<span
class="HOEnZb"><font color="#888888"><br>
<br>
Martin</font></span>
<div>
<div class="h5"><br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-08-20 14:38
GMT+02:00 Martin Basti <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mbasti@redhat.com">mbasti@redhat.com</a></a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span> <br>
<br>
<div>On 08/20/2015 02:35 PM, David
Dejaeghere wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>Aha,<br>
<br>
</div>
Correct. But i never set this.
This option seems to be set by
default.<br>
</div>
I verified this issue on
multiple installs. It seems they
all have this option set by
default?<br>
<br>
</div>
Can i safely change named.conf
without fearing my modifications
will be lost on an update?<br>
<br>
</div>
Kind Regards,<br>
<br>
</div>
David<br>
</div>
</blockquote>
</span> (Adding freeipa-users back)<br>
<br>
I checked code, it is default.<br>
<br>
You can change named.conf, upgrade will not
replace it.<span><font color="#888888"><br>
<br>
Martin</font></span>
<div>
<div><br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-08-20
14:32 GMT+02:00 Martin Basti <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mbasti@redhat.com">mbasti@redhat.com</a></a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<div>
<div> <br>
<div>On 08/20/2015 02:22
PM, Martin Basti wrote:<br>
</div>
<blockquote type="cite"> <br>
<br>
<div>On 08/20/2015 01:48
PM, David Dejaeghere
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>Hi,<br>
<br>
</div>
I noticed that
changing the
authoritarive
nameserver in
FreeIPA
reflects
correctly to
its directory
data but bind
will not
resolve the
soa record
with the
updated mname
details.<br>
<br>
</div>
For example I
add a zone <a
moz-do-not-send="true" href="http://test.be" target="_blank">test.be</a>
and change the
mname record.<br>
<br>
[root@ns02 ~]#
ipa
dnszone-add<br>
Zone name: <a
moz-do-not-send="true" href="http://test.be" target="_blank">test.be</a><br>
Zone name: <a
moz-do-not-send="true" href="http://test.be" target="_blank">test.be</a>.<br>
Active zone:
TRUE<br>
<b>
Authoritative
nameserver: <a
moz-do-not-send="true" href="http://ns02.tokiogroup.be" target="_blank">ns02.tokiogroup.be</a>.</b><br>
Administrator
e-mail
address:
hostmaster<br>
SOA serial:
1440070999<br>
SOA refresh:
3600<br>
SOA retry:
900<br>
SOA expire:
1209600<br>
SOA minimum:
3600<br>
BIND update
policy: grant
<a
moz-do-not-send="true"
href="http://TOKIOGROUP.BE" target="_blank">TOKIOGROUP.BE</a> krb5-self
* A; grant <a
moz-do-not-send="true" href="http://TOKIOGROUP.BE" target="_blank">TOKIOGROUP.BE</a>
krb5-self *
AAAA; grant <a
moz-do-not-send="true" href="http://TOKIOGROUP.BE" target="_blank">TOKIOGROUP.BE</a>
krb5-self *<br>
SSHFP;<br>
Dynamic
update: FALSE<br>
Allow query:
any;<br>
Allow
transfer:
none;<br>
[root@ns02 ~]#
ipa
dnszone-mod
--nameserver<br>
anaconda-ks.cfg
.bash_logout
.bashrc
.ipa/
.ssh/<br>
.bash_history
.bash_profile
.cshrc
.pki/
.tcshrc<br>
<br>
<br>
[root@ns02 ~]#
ipa
dnszone-mod
--name-server<b>
<a
moz-do-not-send="true"
href="http://ns7.tokiogroup.be" target="_blank">ns7.tokiogroup.be</a></b>.<br>
Zone name: <a
moz-do-not-send="true" href="http://test.be" target="_blank">test.be</a><br>
ipa: WARNING:
Semantic of
setting
Authoritative
nameserver was
changed. It is
used only for
setting the
SOA MNAME
attribute.<br>
NS record(s)
can be edited
in zone apex -
'@'.<br>
Zone name: <a
moz-do-not-send="true" href="http://test.be" target="_blank">test.be</a>.<br>
Active zone:
TRUE<br>
<b>Authoritative
nameserver: <a
moz-do-not-send="true" href="http://ns7.tokiogroup.be" target="_blank">ns7.tokiogroup.be</a>.</b><br>
Administrator
e-mail
address:
hostmaster<br>
SOA serial:
1440071001<br>
SOA refresh:
3600<br>
SOA retry:
900<br>
SOA expire:
1209600<br>
SOA minimum:
3600<br>
Allow query:
any;<br>
Allow
transfer:
none;<br>
<br>
<br>
[root@ns02 ~]#
nslookup<br>
> set q=SOA<br>
> <a
moz-do-not-send="true"
href="http://test.be" target="_blank">test.be</a><br>
Server:
127.0.0.1<br>
Address:
127.0.0.1#53<br>
<br>
<a
moz-do-not-send="true"
href="http://test.be" target="_blank">test.be</a><br>
<b>
origin = <a
moz-do-not-send="true"
href="http://ns02.tokiogroup.be" target="_blank">ns02.tokiogroup.be</a></b><br>
mail
addr = <a
moz-do-not-send="true"
href="http://hostmaster.test.be" target="_blank">hostmaster.test.be</a><br>
serial
= 1440071001<br>
refresh = 3600<br>
retry
= 900<br>
expire
= 1209600<br>
minimum = 3600<br>
<br>
</div>
As you can see
the SOA record
still shows the
original default
value.<br>
<br>
</div>
Kind Regards,<br>
<br>
</div>
David Dejaeghere<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
Thank you for this bug
report.<br>
I opened bind-dyndb-ldap
ticket <a
moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/ticket/159"
target="_blank"><a class="moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/ticket/159">https://fedorahosted.org/bind-dyndb-ldap/ticket/159</a></a><br>
<br>
Martin<br>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
I maybe found why do you have
this issue,<br>
<br>
do you have fake_mname
configured in bind_dyndb_ldap
section of named.conf?<br>
If yes then remove this option
to use SOA MNAME from LDAP.<span><font
color="#888888"><br>
<br>
Martin<br>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>