[Freeipa-users] DNS zone transfers
Adam Tkac
atkac at redhat.com
Tue Jun 21 10:12:08 UTC 2011
On 06/16/2011 09:38 PM, Loris Santamaria wrote:
> El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió:
>> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote:
>>> Hi,
>>>
>>> I would like to use my freeIPA v2 server as my master name server and
>>> have other normal (non ldap based) bind servers as caching / secondary
>>> name servers. Ideally the clients would query only the secondary servers
>>> and the secondary name servers would perform regular zone transfers from
>>> the master server.
>>>
>>> So I'm trying to setup zone transfer in my IPA based name server. First
>>> of all I see that the attribute "idnsAllowTransfer" referenced in the
>>> bind-dyndb-ldap documentation is not really supported in the schema
>>> installed in IPA. Next, using a global "allow-transfer" in named.conf
>>> doesn't work also.
>> A global allow-transfer should work, have you restarted named after
>> setting it ?
>>
>> If it doesn't work we may have a bug.
> I'm adding to named.conf options section:
>
> allow-transfer { 127.0.0.1; };
>
> then I restart named and try a zone transfer on the same host:
>
> # host -l ipa.corpfbk. 127.0.0.1
> ; Transfer failed.
> Using domain server:
> Name: 127.0.0.1
> Address: 127.0.0.1#53
> Aliases:
>
> Host ipa.corpfbk not found: 9(NOTAUTH)
> ; Transfer failed.
>
> In the logs I get:
>
> Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH)
>
Hello Loris,
the bind-dyndb-ldap plugin currently doesn't support zone transfers but
you should receive SERVFAIL error in this case, not NOTAUTH.
Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk
zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here?
Regards, Adam
More information about the Freeipa-users
mailing list