<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>On 02/08/2017 11:59 PM, Ben Roberts wrote:</tt><tt><br>
</tt>
<blockquote
cite="mid:CAF6eua53V+kc-ctdRweei5+-cfR=cdf3gNCjcgDvxuXSYxAKRQ@mail.gmail.com"
type="cite">
<div dir="ltr"><tt>Hi all,</tt>
<div><tt><br>
</tt></div>
<div><tt>This is a question more about bind-dyndb-ldap rather
than freeipa, but I understand it's written/maintained by
the freeipa project and so this might be the most
appropriate place to ask. I have setup bind-dyndb-ldap to
read some zones from openldap, with multiple nameservers
acting as masters and one nameserver running as a slave via
the usual notify/transfer mechanism. I'm not seeing any DS
records transfer across to the slave nameserver, nor when I
manually query the primaries with an AFXR request. This
includes both the apex DS records, automatically generated
by bind-dyndb-ldap, but more importantly the glue dSRecord
objects for a delegated subdomain.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>I note that the dSRecord entries are present in
/var/named/dyndb-ldap/$view/master/$zone/raw but not present
in /var/named/dyndb-ldap/$view/master/$zone/signed.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Example (domain name and ip addresses obfuscated, but
all other fields are unmodified):</tt><tt><br>
</tt></div>
<div>
<div><tt>$ dig +noall +answer DS subdomain.example.local
@127.0.01</tt></div>
<div><tt>subdomain.example.local. 600 IN DS
38589 7 1 6C410EF5A47631FBA2C3BC295A90363EA86A1846</tt></div>
<div><tt>subdomain.example.local. 600 IN DS
38589 7 2
23E22A49BBF2AD0E3F4668CB4C0DB52EE60ACA4308C1DE002A47AD7B
99734334</tt></div>
<div>
<div><tt><br>
</tt></div>
<div><tt>$ dig +noall +answer AXFR subdomain.example.local @</tt><tt><a
moz-do-not-send="true" href="http://127.0.0.1">127.0.0.1</a></tt><tt>
| head -n 1</tt></div>
<div><tt>subdomain.example.local. 600 IN SOA
ns1.example.local. hostmaster.example.local. 2016050416
43200 3600 1209600 3600</tt></div>
<div><tt><br>
</tt></div>
<div><tt>$ dig +noall +answer AXFR subdomain.example.local @</tt><tt><a
moz-do-not-send="true" href="http://127.0.0.1">127.0.0.1</a></tt><tt>
| grep '\bDS\b'</tt></div>
<div><tt>$</tt></div>
</div>
</div>
<div><tt><br>
</tt></div>
<div><tt>This behaviour doesn't seem right to me. I would expect
the DS records to be transferred to the slaves as normal so
that any glue records are correctly present on all
nameservers. I can't see any references in the
bind-dyndb-ldap wiki/readme or code comments that would
explain DS records being treated specially, but please do
correct me if I'm wrong.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Regards,</tt></div>
<div><tt>Ben Roberts</tt></div>
</div>
<tt><br>
</tt>
<fieldset class="mimeAttachmentHeader"></fieldset>
<tt><br>
</tt>
</blockquote>
<tt>Hi,<br>
<br>
when I add a DS record to LDAP (without any DNSSEC configuration),
it is included in my AXFR transfer. I'm using
bind-dyndb-ldap-10.1.<br>
<br>
I suppose you have DNSSEC configured. Could you be affected by the
limitations mentioned in [1]?<br>
<br>
[1] -
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates#Limitationsmissingfeatures">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates#Limitationsmissingfeatures</a><br>
</tt>
<pre class="moz-signature" cols="72">--
Tomas Krizek</pre>
</body>
</html>