[Freeipa-users] DNS zone delegation

Petr Spacek pspacek at redhat.com
Tue Apr 17 16:01:05 UTC 2012 

On 02/02/2012 10:23 AM, Adam Tkac wrote:
> On 02/01/2012 07:21 PM, Loris Santamaria wrote:
>> Hi,
>>
>> I have a dns zone managed by IPA and I'm trying to delegate a zone
>> managed by Active Directory.
>>
>> The IPA managed zone is called "corpfbk", and the AD one is
>> "ad.corpfbk".
>>
>> I started by adding the proper glue records:
>>
>> ipa dnsrecord-add corpfbk ns1.ad --a-rec=192.168.3.36
>> ipa dnsrecord-add corpfbk ns2.ad --a-rec=192.168.3.241
>>
>> Then I add what I consider should be the zone delegation:
>>
>> ipa dnsrecord-add corpfbk ad --ns-rec=ns1.ad.corpfbk.,ns2.ad.corpfbk.
>>
>> Problem is, IPA DNS can't resolve any host in the ad.corpfbk zone,
>> except ns1 and ns2. Recursion is enabled in named.conf. Dig results:
>>
>> dig @localhost ad.corpfbk NS +norecurse
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21862
>> ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4
>>
>> ;; QUESTION SECTION:
>> ;ad.corpfbk. IN NS
>>
>> ;; ANSWER SECTION:
>> ad.corpfbk. 86400 IN NS ns1.ad.corpfbk.
>> ad.corpfbk. 86400 IN NS ns2.ad.corpfbk.
>>
>> ;; AUTHORITY SECTION:
>> corpfbk. 86400 IN NS ipa01.central.corpfbk.
>> corpfbk. 86400 IN NS ipa02.central.corpfbk.
>>
>> ;; ADDITIONAL SECTION:
>> ns1.ad.corpfbk. 86400 IN A 192.168.3.36
>> ns2.ad.corpfbk. 86400 IN A 192.168.3.241
>> ipa01.central.corpfbk. 86400 IN A 192.168.3.6
>> ipa02.central.corpfbk. 86400 IN A 192.168.3.16
>>
>> It seems to me, and after testing with other non-IPA based DNS servers,
>> that the response shouldn't have and "Answer section", but it should
>> have an "authority section" pointing to ad.corpfbk.
>>
>> I am doing something wrong? Should I file a bug?
>>
> You are right, ad.corpfbk. records should be in auth section. This seems
> like a bug in the bind-dyndb-ldap plugin. Please fill it with reference
> to this thread to bugzilla.redhat.com. Thank you in advance!
>
> Regards, Adam

These problems are fixed in latest bind-dyndb-ldap upstream version 
(commit 9bcd08be60aad4cb55393d494887b97bd31526be).

Petr^2 Spacek

More information about the Freeipa-users mailing list