<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 08/20/2015 02:22 PM, Martin Basti wrote: </div> <blockquote cite="mid:55D5C699.6080205@redhat.com" type="cite"> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> <div class="moz-cite-prefix">On 08/20/2015 01:48 PM, David Dejaeghere wrote: </div> <blockquote cite="mid:CAO9DwO-6mDSfTxY5pAihoyBkTftPGQ44zWSGyqV7si0-kXKUJg@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div>Hi, </div> I noticed that changing the authoritarive nameserver in FreeIPA reflects correctly to its directory data but bind will not resolve the soa record with the updated mname details. </div> For example I add a zone <a moz-do-not-send="true" href="http://test.be">test.be</a> and change the mname record. [root@ns02 ~]# ipa dnszone-add Zone name: <a moz-do-not-send="true" href="http://test.be">test.be</a> Zone name: <a moz-do-not-send="true" href="http://test.be">test.be</a>. Active zone: TRUE Authoritative nameserver: <a moz-do-not-send="true" href="http://ns02.tokiogroup.be">ns02.tokiogroup.be</a>. Administrator e-mail address: hostmaster SOA serial: 1440070999 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant <a moz-do-not-send="true" href="http://TOKIOGROUP.BE">TOKIOGROUP.BE</a> krb5-self * A; grant <a moz-do-not-send="true" href="http://TOKIOGROUP.BE">TOKIOGROUP.BE</a> krb5-self * AAAA; grant <a moz-do-not-send="true" href="http://TOKIOGROUP.BE">TOKIOGROUP.BE</a> krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@ns02 ~]# ipa dnszone-mod --nameserver anaconda-ks.cfg .bash_logout .bashrc .ipa/ .ssh/ .bash_history .bash_profile .cshrc .pki/ .tcshrc [root@ns02 ~]# ipa dnszone-mod --name-server <a moz-do-not-send="true" href="http://ns7.tokiogroup.be">ns7.tokiogroup.be</a>. Zone name: <a moz-do-not-send="true" href="http://test.be">test.be</a> ipa: WARNING: Semantic of setting Authoritative nameserver was changed. It is used only for setting the SOA MNAME attribute. NS record(s) can be edited in zone apex - '@'. Zone name: <a moz-do-not-send="true" href="http://test.be">test.be</a>. Active zone: TRUE Authoritative nameserver: <a moz-do-not-send="true" href="http://ns7.tokiogroup.be">ns7.tokiogroup.be</a>. Administrator e-mail address: hostmaster SOA serial: 1440071001 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; [root@ns02 ~]# nslookup > set q=SOA > <a moz-do-not-send="true" href="http://test.be">test.be</a> Server: 127.0.0.1 Address: 127.0.0.1#53 <a moz-do-not-send="true" href="http://test.be">test.be</a> origin = <a moz-do-not-send="true" href="http://ns02.tokiogroup.be">ns02.tokiogroup.be</a> mail addr = <a moz-do-not-send="true" href="http://hostmaster.test.be">hostmaster.test.be</a> serial = 1440071001 refresh = 3600 retry = 900 expire = 1209600 minimum = 3600 </div> As you can see the SOA record still shows the original default value. </div> Kind Regards, </div> David Dejaeghere </div> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> Thank you for this bug report. I opened bind-dyndb-ldap ticket <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/ticket/159">https://fedorahosted.org/bind-dyndb-ldap/ticket/159</a> Martin <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> I maybe found why do you have this issue, do you have fake_mname configured in bind_dyndb_ldap section of named.conf? If yes then remove this option to use SOA MNAME from LDAP. Martin </body> </html>