[Freeipa-users] ttl settings for host records
Petr Spacek
pspacek at redhat.com
Tue Nov 27 17:10:20 UTC 2012
Hello,
On 11/27/2012 04:52 PM, Rob Crittenden wrote:
> Natxo Asenjo wrote:
>> hi,
>>
>> this is puzzling me.
>>
>> I have an AD environment (which is leading) with integrated dns servers.
>>
>> In the AD dns I have a zone domain.tld. I have created a delegation
>> unix.domain.tld in it with a glue record pointing to a new ipa server
>> kdc01.unix.domain.tld.
>>
>> This works. I can join hosts to the IPA domain and reach their
>> services from the AD domain.
>>
>> this is the what a host querying the AD dns servers gets when getting
>> info about the unix.domain.tld zone:
>>
>> $ dig unix.domain.tld
>>
>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> unix.domain.tld
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34185
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;unix.domain.tld. IN A
>>
>> ;; AUTHORITY SECTION:
>> unix.domain.tld. 300 IN SOA kdc01.unix.domain.tld.
>> hostmaster.unix.domain.tld. 2012110713 3600 900 1209600 3600
>>
>> And the TTL is 300. When I re-run the query, I see that it is less
>> than that. This is normal, I have the domain.tld in AD dns with ttl 5
>> minutes.
>>
>> So far, so good.
Do you set TTL = 300 explicitly for unix.domain.tld. (i.e. SOA record), right?
>> Now I joing a host to the IPA domain and query the host:
>>
>> $ dig solr01.unix.domain.tld
>>
>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> solr01.unix.domain.tld
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7726
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;solr01.unix.domain.tld. IN A
>>
>> ;; ANSWER SECTION:
>> solr01.unix.domain.tld. 84185 IN A 172.20.6.42
>>
>> The ttl has gone up to one day.
86400 seconds is default value for entries without explicit TTL definition.
TTL setting is effective per-name, so setting TTL for zone's root (SOA record)
will affect only SOA itself.
Current version have default TTL 86400 seconds hard-coded. It is known
limitation and it is planned to address this in IPA 3.2:
https://fedorahosted.org/bind-dyndb-ldap/ticket/70
Before this ticket is solved you have to explicitly set TTL attribute for each
existing DNS name. Sorry!
>> this are the zone settings in IPA:
>> $ ipa dnszone-show
>> Zone name: unix.domain.tld
>> Zone name: unix.domain.tld
>> Authoritative nameserver: kdc01.unix.domain.tld.
>> Administrator e-mail address: hostmaster.unix.domain.tld.
>> SOA serial: 2012110713
>> SOA refresh: 3600
>> SOA retry: 900
>> SOA expire: 1209600
>> SOA minimum: 3600
For completeness: This value affects only negative record caching.
See http://tools.ietf.org/html/rfc2308
section "2.2.1 - Special Handling of No Data",
part "4 - SOA Minimum Field".
>> Active zone: TRUE
>> Allow query: any;
>> Allow transfer: none;
>>
>> In the web-ui I have filled in the SOA time to live field: 300 for
>> this zone, but it is not being picked up.
The plan is to have separate SOA TTL and per-zone default-TTL setting, but now
there is no attribute for default TTL.
>> Where can I set this? If there are changes on the IPA server, I do not
>> want that the old info gets cached for a day on the AD dns servers.
>
> I'm not entirely sure where that 86400 came from. When we do a dynamic update
> the TTL is hardcoded to 1200. There is a ticket to make this configurable,
> https://fedorahosted.org/freeipa/ticket/3031
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list