[Freeipa-users] DNS zone delegation
Adam Tkac
atkac at redhat.com
Thu Feb 2 09:23:16 UTC 2012
On 02/01/2012 07:21 PM, Loris Santamaria wrote:
> Hi,
>
> I have a dns zone managed by IPA and I'm trying to delegate a zone
> managed by Active Directory.
>
> The IPA managed zone is called "corpfbk", and the AD one is
> "ad.corpfbk".
>
> I started by adding the proper glue records:
>
> ipa dnsrecord-add corpfbk ns1.ad --a-rec=192.168.3.36
> ipa dnsrecord-add corpfbk ns2.ad --a-rec=192.168.3.241
>
> Then I add what I consider should be the zone delegation:
>
> ipa dnsrecord-add corpfbk ad --ns-rec=ns1.ad.corpfbk.,ns2.ad.corpfbk.
>
> Problem is, IPA DNS can't resolve any host in the ad.corpfbk zone,
> except ns1 and ns2. Recursion is enabled in named.conf. Dig results:
>
> dig @localhost ad.corpfbk NS +norecurse
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21862
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4
>
> ;; QUESTION SECTION:
> ;ad.corpfbk. IN NS
>
> ;; ANSWER SECTION:
> ad.corpfbk. 86400 IN NS ns1.ad.corpfbk.
> ad.corpfbk. 86400 IN NS ns2.ad.corpfbk.
>
> ;; AUTHORITY SECTION:
> corpfbk. 86400 IN NS ipa01.central.corpfbk.
> corpfbk. 86400 IN NS ipa02.central.corpfbk.
>
> ;; ADDITIONAL SECTION:
> ns1.ad.corpfbk. 86400 IN A 192.168.3.36
> ns2.ad.corpfbk. 86400 IN A 192.168.3.241
> ipa01.central.corpfbk. 86400 IN A 192.168.3.6
> ipa02.central.corpfbk. 86400 IN A 192.168.3.16
>
> It seems to me, and after testing with other non-IPA based DNS servers,
> that the response shouldn't have and "Answer section", but it should
> have an "authority section" pointing to ad.corpfbk.
>
> I am doing something wrong? Should I file a bug?
>
You are right, ad.corpfbk. records should be in auth section. This seems
like a bug in the bind-dyndb-ldap plugin. Please fill it with reference
to this thread to bugzilla.redhat.com. Thank you in advance!
Regards, Adam
More information about the Freeipa-users
mailing list