[Freeipa-users] DNS logs - named.run

Petr Spacek pspacek at redhat.com
Thu Jun 7 15:27:07 UTC 2012 

On 06/01/2012 08:17 PM, Jimmy wrote:
> Our DNS topology is a very simple, out of the box, FreeIPA config. Our systems
> are configured to run independently at completely disparate locations, so
> there is very little to the topology besides forward and reverse zones for the
> networks served at each site. There are no slaves, and this is the only zone
> that has this issue. This is logged in the file /var/named/data/named.run .
> DNS has not been modified directly through ldap, only through IPA interfaces.
>
> Thanks,
> Jimmy
>
> Currently I could completely rebuild the system and push out the new config to
> the sites, but if there is some way to fix this on a running server or get
> more debug info to the maillist to possibly find the fix I would greatly
> prefer that.

I found the bug in bind-dyndb-ldap. This error message is logged only for 
zones without idnsUpdatePolicy attribute, right?

There is a ticket for that problem.
https://fedorahosted.org/bind-dyndb-ldap/ticket/79

Workaround:
Define idnsUpdatePolicy attribute (e.g. "grant E.EXAMPLE krb5-self * A;") and 
set idnsAllowDynUpdate to FALSE. Dynamic updates will remain disabled and 
error message will not be logged.

Thanks for reporting the bug.

Petr^2 Spacek


>
> On Fri, Jun 1, 2012 at 11:45 AM, Petr Spacek <pspacek at redhat.com
> <mailto:pspacek at redhat.com>> wrote:
>
>     On 05/31/2012 07:24 PM, Jimmy wrote:
>
>         This message repeats numerous times per minute:
>
>         zone myzone.info/IN <http://myzone.info/IN>: zone serial (2012150501
>         <tel:%282012150501>) unchanged. zone may fail
>         to transfer to slaves.
>
>         I even went into the admin page and changed the serial manually to see
>         if I could get past the message but it just changed the message to
>         this:
>
>         zone myzone.info/IN <http://myzone.info/IN>: zone serial (2012150502
>         <tel:%282012150502>) unchanged. zone may fail
>         to transfer to slaves.
>
>         Why does IPA report this?
>
>         Thanks.
>
>
>     Hello,
>
>     can you describe your DNS topology?
>     Where is it logged?
>     Is it on a *slave* server?
>     How to reproduce it?
>
>     Current IPA doesn't maintain SOA serial number for updates made directly
>     in LDAP (but nsupdate works). Zone transfers are totally broken for that
>     reason.
>
>     Fix is on the roadmap: We are discussing how to solve this problem in
>     thread
>     https://www.redhat.com/__archives/freeipa-devel/2012-__May/msg00044.html
>     <https://www.redhat.com/archives/freeipa-devel/2012-May/msg00044.html>.
>
>     Petr^2 Spacek
>
>     _________________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/__mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>
>

More information about the Freeipa-users mailing list