[Freeipa-users] ttl settings for host records

Natxo Asenjo natxo.asenjo at gmail.com
Tue Nov 27 15:46:49 UTC 2012 

hi,

this is puzzling me.

I have an AD environment (which is leading) with integrated dns servers.

In the AD dns I have a zone domain.tld. I have created a delegation
unix.domain.tld in it with a glue record pointing to a new ipa server
kdc01.unix.domain.tld.

This works. I can join hosts to the IPA domain and reach their
services from the AD domain.

this is the what a host querying the AD dns servers gets when getting
info about the unix.domain.tld zone:

$ dig unix.domain.tld

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> unix.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34185
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;unix.domain.tld.		IN	A

;; AUTHORITY SECTION:
unix.domain.tld.	300	IN	SOA	kdc01.unix.domain.tld.
hostmaster.unix.domain.tld. 2012110713 3600 900 1209600 3600

And the TTL is 300. When I re-run the query, I see that it is less
than that. This is normal, I have the domain.tld in AD dns with ttl 5
minutes.

So far, so good.

Now I joing a host to the IPA domain and query the host:

$ dig solr01.unix.domain.tld

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> solr01.unix.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7726
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;solr01.unix.domain.tld.	IN	A

;; ANSWER SECTION:
solr01.unix.domain.tld. 84185	IN	A	172.20.6.42

The ttl has gone up to one day.

this are the zone settings in IPA:
$ ipa dnszone-show
Zone name: unix.domain.tld
  Zone name: unix.domain.tld
  Authoritative nameserver: kdc01.unix.domain.tld.
  Administrator e-mail address: hostmaster.unix.domain.tld.
  SOA serial: 2012110713
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

In the web-ui I have filled in the SOA time to live field: 300 for
this zone, but it is not being picked up.

Where can I set this? If there are changes on the IPA server, I do not
want that the old info gets cached for a day on the AD dns servers.

TIA.
--
Groeten,
natxo

More information about the Freeipa-users mailing list