<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <tt>On 02/08/2017 11:59 PM, Ben Roberts wrote:</tt><tt><br> </tt> <blockquote cite="mid:CAF6eua53V+kc-ctdRweei5+-cfR=cdf3gNCjcgDvxuXSYxAKRQ@mail.gmail.com" type="cite"> <div dir="ltr"><tt>Hi all,</tt> <div><tt><br> </tt></div> <div><tt>This is a question more about bind-dyndb-ldap rather than freeipa, but I understand it's written/maintained by the freeipa project and so this might be the most appropriate place to ask. I have setup bind-dyndb-ldap to read some zones from openldap, with multiple nameservers acting as masters and one nameserver running as a slave via the usual notify/transfer mechanism. I'm not seeing any DS records transfer across to the slave nameserver, nor when I manually query the primaries with an AFXR request. This includes both the apex DS records, automatically generated by bind-dyndb-ldap, but more importantly the glue dSRecord objects for a delegated subdomain.</tt></div> <div><tt><br> </tt></div> <div><tt>I note that the dSRecord entries are present in /var/named/dyndb-ldap/$view/master/$zone/raw but not present in /var/named/dyndb-ldap/$view/master/$zone/signed.</tt></div> <div><tt><br> </tt></div> <div><tt>Example (domain name and ip addresses obfuscated, but all other fields are unmodified):</tt><tt><br> </tt></div> <div> <div><tt>$ dig +noall +answer DS subdomain.example.local @127.0.01</tt></div> <div><tt>subdomain.example.local. 600 IN DS 38589 7 1 6C410EF5A47631FBA2C3BC295A90363EA86A1846</tt></div> <div><tt>subdomain.example.local. 600 IN DS 38589 7 2 23E22A49BBF2AD0E3F4668CB4C0DB52EE60ACA4308C1DE002A47AD7B 99734334</tt></div> <div> <div><tt><br> </tt></div> <div><tt>$ dig +noall +answer AXFR subdomain.example.local @</tt><tt><a moz-do-not-send="true" href="http://127.0.0.1">127.0.0.1</a></tt><tt> | head -n 1</tt></div> <div><tt>subdomain.example.local. 600 IN SOA ns1.example.local. hostmaster.example.local. 2016050416 43200 3600 1209600 3600</tt></div> <div><tt><br> </tt></div> <div><tt>$ dig +noall +answer AXFR subdomain.example.local @</tt><tt><a moz-do-not-send="true" href="http://127.0.0.1">127.0.0.1</a></tt><tt> | grep '\bDS\b'</tt></div> <div><tt>$</tt></div> </div> </div> <div><tt><br> </tt></div> <div><tt>This behaviour doesn't seem right to me. I would expect the DS records to be transferred to the slaves as normal so that any glue records are correctly present on all nameservers. I can't see any references in the bind-dyndb-ldap wiki/readme or code comments that would explain DS records being treated specially, but please do correct me if I'm wrong.</tt></div> <div><tt><br> </tt></div> <div><tt>Regards,</tt></div> <div><tt>Ben Roberts</tt></div> </div> <tt><br> </tt> <fieldset class="mimeAttachmentHeader"></fieldset> <tt><br> </tt> </blockquote> <tt>Hi,<br> <br> when I add a DS record to LDAP (without any DNSSEC configuration), it is included in my AXFR transfer. I'm using bind-dyndb-ldap-10.1.<br> <br> I suppose you have DNSSEC configured. Could you be affected by the limitations mentioned in [1]?<br> <br> [1] - <a class="moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates#Limitationsmissingfeatures">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates#Limitationsmissingfeatures</a><br> </tt> <pre class="moz-signature" cols="72">-- Tomas Krizek</pre> </body> </html>