[Freeipa-users] DNS zone transfers

Thu Jun 23 13:05:33 UTC 2011

El mar, 21-06-2011 a las 16:02 +0200, Adam Tkac escribió:
> On 06/21/2011 03:51 PM, Loris Santamaria wrote:
> > El mar, 21-06-2011 a las 12:12 +0200, Adam Tkac escribió:
> >> On 06/16/2011 09:38 PM, Loris Santamaria wrote:
> >>> El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió:
> >>>> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote:
> >>>>> Hi,
> >>>>>
> >>>>> I would like to use my freeIPA v2 server as my master name server and
> >>>>> have other normal (non ldap based) bind servers as caching / secondary
> >>>>> name servers. Ideally the clients would query only the secondary servers
> >>>>> and the secondary name servers would perform regular zone transfers from
> >>>>> the master server.
> >>>>>
> >>>>> So I'm trying to setup zone transfer in my IPA based name server. First
> >>>>> of all I see that the attribute "idnsAllowTransfer" referenced in the
> >>>>> bind-dyndb-ldap documentation is not really supported in the schema
> >>>>> installed in IPA. Next, using a global "allow-transfer" in named.conf
> >>>>> doesn't work also.
> >>>> A global allow-transfer should work, have you restarted named after
> >>>> setting it ?
> >>>>
> >>>> If it doesn't work we may have a bug.
> >>> I'm adding to named.conf options section:
> >>>
> >>> allow-transfer { 127.0.0.1; };
> >>>
> >>> then I restart named and try a zone transfer on the same host:
> >>>
> >>> # host -l ipa.corpfbk. 127.0.0.1
> >>> ; Transfer failed.
> >>> Using domain server:
> >>> Name: 127.0.0.1
> >>> Address: 127.0.0.1#53
> >>> Aliases: 
> >>>
> >>> Host ipa.corpfbk not found: 9(NOTAUTH)
> >>> ; Transfer failed.
> >>>
> >>> In the logs I get:
> >>>
> >>> Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH)
> >>>
> >> Hello Loris,
> >>
> >> the bind-dyndb-ldap plugin currently doesn't support zone transfers but
> >> you should receive SERVFAIL error in this case, not NOTAUTH.
> >>
> >> Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk
> >> zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here?
> > The zone's SOA seems right to me:
> >
> > [root at ipa01 ~]# dig @127.0.0.1 ipa.corpfbk SOA
> >
> > ; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @127.0.0.1 ipa.corpfbk SOA
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43430
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> >
> > ;; QUESTION SECTION:
> > ;ipa.corpfbk.			IN	SOA
> >
> > ;; ANSWER SECTION:
> > ipa.corpfbk.		86400	IN	SOA	ipa01.central.corpfbk. soporte.tiendaskioto.com. 2011020601 3600 900 1209600 3600
> >
> > ;; AUTHORITY SECTION:
> > ipa.corpfbk.		86400	IN	NS	ipa01.central.corpfbk.
> >
> > ;; ADDITIONAL SECTION:
> > ipa01.central.corpfbk.	86400	IN	A	192.168.3.6
> >
> > ;; Query time: 3 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Tue Jun 21 09:15:43 2011
> > ;; MSG SIZE  rcvd: 133
> That's weird if server still returns NOTAUTH. Are you sure you perform
> zone transfer from 192.168.3.6? (i.e. you execute host utility on
> machine with IP 192.168.3.6).

Yes I'm working directly on the machine with IP 192.168.3.6 (the IPA
server), I added a global allow-transfer directive for 127.0.0.1 and I
am using the host utility to query directly the 127.0.0.1 nameserver.

-- 
Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
------------------------------------------------------------
-O9 -omg-optimize -fomit-instructions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5909 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110623/b5a2ea23/attachment.bin>