[Freeipa-users] automatic dns update failing
Martin Kosek
mkosek at redhat.com
Tue Feb 21 07:37:44 UTC 2012
On Mon, 2012-02-20 at 17:08 +0100, Marco Pizzoli wrote:
>
>
> On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <mkosek at redhat.com>
> wrote:
> On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
>
> > Hi,
> > During my setup today I'm always failing in enrolling
> clients with
> > automatic dns updates.
> > I'm playing with FreeIPA 2.1.90, but I guess this is a
> general
> > problem, not strictly due to the alpha version.
> >
> > I'm doing a "ipa-client-install --enable-dns-updates" and at
> the
> > console I see:
> > Failed to update DNS A record. (Command '/usr/bin/nsupdate
> > -g /etc/ipa/.dns_update.txt' returned non-zero exit status
> 2)
> >
> > I see in server logs that named refuses it:
> > Feb 19 17:05:25 freeipa01 named[2089]: client
> 192.168.20.112#38558:
> > update 'internet.unix.mydomain.it/IN' denied
> > Feb 19 17:05:25 freeipa01 named[2089]: client
> 192.168.20.112#40809:
> > update 'internet.unix.mydomain.it/IN' denied
> >
> > What is the cause? What other informations do you need about
> my
> > deployment?
> >
> > Thanks in advance as usual
> > Marco
>
>
> Hello Marco,
>
> please check the settings of the zone you are trying to add
> clients to.
> GSS-TSIG updates are not enabled by default for new zones, it
> may be
> your case.
>
> This is an entry for my zone 'example.com' where dynamic
> updates are
> enabled:
>
> # ipa dnszone-show example.com --all
> dn:
> idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> Zone name: example.com
> Authoritative nameserver: ns.example.com.
> Administrator e-mail address: hostmaster.example.com.
> SOA serial: 2012200201
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self *
> A; grant IDM.LAB.BOS.REDHAT.COM
> > krb5-self * AAAA; grant
> IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP;
> Active zone: TRUE
> > Dynamic update: TRUE
> nsrecord: ns.example.com.
> objectclass: top, idnsrecord, idnszone
>
> I have marked the important attributes with ">". I would also
> make sure
> that the zone is properly loaded in bind-dyndb-ldap plugin
> (you can for
> example try to retrieve its SOA record with dig).
>
> Hi Martin,
> yes this is the case:
>
> [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it --all
> dn:
> idnsname=internet.unix.mydomain.it,cn=dns,dc=unix,dc=mydomain,dc=it
> Zone name: internet.unix.mydomain.it
> Authoritative nameserver: freeipa01.unix.mydomain.it.
> Administrator e-mail address: hostmaster.internet.unix.mydomain.it.
> SOA serial: 2012180201
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> Active zone: TRUE
> Dynamic update: FALSE
> nsrecord: freeipa01.unix.mydomain.it.
> objectclass: top, idnsrecord, idnszone
>
> So, could you tell me how should I do to have my (new) zone being
> eventually updated?
> A link to a doc page would suffices.
>
> Thanks a lot
> Marco
>
Hello Marco,
glad we found the root cause. You can update the zone with this command:
# ipa dnszone-mod internet.unix.mydomain.it --dynamic-update=TRUE
--update-policy="grant MYDOMAIN.IT krb5-self * A; grant MYDOMAIN.IT
krb5-self * AAAA; grant MYDOMAIN.IT krb5-self * SSHFP;"
# service named reload (or "rndc reload")
It enables dynamic updates and configures an update policy for it -
every host in this domain can now add/delete its own A/AAAA/SSHFP
records.
Sources of DNS documentation:
1. Our command help:
# ipa help dns
2. FreeIPA guide:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Working_with_DNS.html
3. And freeipa-users of course :-)
Martin
More information about the Freeipa-users
mailing list