[Freeipa-users] DNS zone transfers
Adam Tkac
atkac at redhat.com
Tue Jun 21 14:02:07 UTC 2011
On 06/21/2011 03:51 PM, Loris Santamaria wrote:
> El mar, 21-06-2011 a las 12:12 +0200, Adam Tkac escribió:
>> On 06/16/2011 09:38 PM, Loris Santamaria wrote:
>>> El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió:
>>>> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote:
>>>>> Hi,
>>>>>
>>>>> I would like to use my freeIPA v2 server as my master name server and
>>>>> have other normal (non ldap based) bind servers as caching / secondary
>>>>> name servers. Ideally the clients would query only the secondary servers
>>>>> and the secondary name servers would perform regular zone transfers from
>>>>> the master server.
>>>>>
>>>>> So I'm trying to setup zone transfer in my IPA based name server. First
>>>>> of all I see that the attribute "idnsAllowTransfer" referenced in the
>>>>> bind-dyndb-ldap documentation is not really supported in the schema
>>>>> installed in IPA. Next, using a global "allow-transfer" in named.conf
>>>>> doesn't work also.
>>>> A global allow-transfer should work, have you restarted named after
>>>> setting it ?
>>>>
>>>> If it doesn't work we may have a bug.
>>> I'm adding to named.conf options section:
>>>
>>> allow-transfer { 127.0.0.1; };
>>>
>>> then I restart named and try a zone transfer on the same host:
>>>
>>> # host -l ipa.corpfbk. 127.0.0.1
>>> ; Transfer failed.
>>> Using domain server:
>>> Name: 127.0.0.1
>>> Address: 127.0.0.1#53
>>> Aliases:
>>>
>>> Host ipa.corpfbk not found: 9(NOTAUTH)
>>> ; Transfer failed.
>>>
>>> In the logs I get:
>>>
>>> Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH)
>>>
>> Hello Loris,
>>
>> the bind-dyndb-ldap plugin currently doesn't support zone transfers but
>> you should receive SERVFAIL error in this case, not NOTAUTH.
>>
>> Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk
>> zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here?
> The zone's SOA seems right to me:
>
> [root at ipa01 ~]# dig @127.0.0.1 ipa.corpfbk SOA
>
> ; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @127.0.0.1 ipa.corpfbk SOA
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43430
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;ipa.corpfbk. IN SOA
>
> ;; ANSWER SECTION:
> ipa.corpfbk. 86400 IN SOA ipa01.central.corpfbk. soporte.tiendaskioto.com. 2011020601 3600 900 1209600 3600
>
> ;; AUTHORITY SECTION:
> ipa.corpfbk. 86400 IN NS ipa01.central.corpfbk.
>
> ;; ADDITIONAL SECTION:
> ipa01.central.corpfbk. 86400 IN A 192.168.3.6
>
> ;; Query time: 3 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jun 21 09:15:43 2011
> ;; MSG SIZE rcvd: 133
That's weird if server still returns NOTAUTH. Are you sure you perform
zone transfer from 192.168.3.6? (i.e. you execute host utility on
machine with IP 192.168.3.6).
Regards, Adam
More information about the Freeipa-users
mailing list