[Freeipa-users] DNS SOA Records
Loris Santamaria
loris at lgs.com.ve
Tue May 13 18:56:58 UTC 2014
El mar, 13-05-2014 a las 14:12 -0400, Bob escribió:
> I ran
>
> ipa dnszone-mod vh1.vzwnet.com --update-policy="grant bob-key name
> test.vh1.vzwnet.com.;"
>
>
> I then execute the nsupdate:
>
> [root at nj51rhidms16v ~]# ./bobtest.sh
> ; TSIG error with server: tsig indicates error
> update failed: NOTAUTH(BADKEY)
>
>
> [root at nj51rhidms16v ~]# cat ./bobtest.sh
> #!/bin/ksh
> #
> keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
> print "update add test.vh1.vzwnet.com 90 CNAME
> txslxngda5.nss.vzwnet.com\n"|nsupdate -y $keyfile
Did you add the key to the bind configuration? As with plain bind
configurations, named has to know the key to verify the transaction's
signature. I usually put the keys in a file only readable by named and
include this file from named.conf:
In /etc/named.conf
include "/etc/named/bob-key.conf";
and in /etc/named/bob-key.conf:
key bob-key {
algorithm hmac-md5;
secret "hkVEYuIRUG.....";
};
> [root at nj51rhidms16v log]# tail daemon
> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found.
> Unable to create GSSAPI-encrypted LDAP connection.
> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing
> to key table
> May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running
> program /usr/sbin/rhn_check
> May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running
> program /usr/sbin/rhn_check
> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found.
> Unable to create GSSAPI-encrypted LDAP connection.
> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing
> to key table
> May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running
> program /usr/sbin/rhn_check
> May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
> request has invalid signature: TSIG bob-key: tsig verify failure
> (BADKEY)
> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error
> processing keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found.
> Unable to create GSSAPI-encrypted LDAP connection.
> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing
> to key table
>
>
>
>
>
>
>
> On Tue, May 13, 2014 at 2:04 PM, Bob <harvero at gmail.com> wrote:
>
> I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI.
>
>
> But my nsupdate results in this in the daemon log:
>
>
>
>
> May 12 17:04:02 nj51rhidms16v named[27438]: zone
> vh1.vzwnet.com/IN: sending notifies (serial 1399928642) May 12
> 17:08:44 nj51rhidms16v named[27438]: client
> 10.194.96.47#26576: request has invalid signature: TSIG
> bob-key: tsig verify failure (BADKEY) May 12 17:15:16
> nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing
> keytab file [default]: Principal
> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not
> found. Unable to create GSSAPI-encrypted LDAP connection. May
> 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error
> writing to key table
>
>
>
> It almost works.
>
>
> On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria
> <loris at lgs.com.ve> wrote:
>
> El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
> > I have many dozens of TSIG keys declared in our
> current bind. There
> > are hundreds of records that have been granted to
> those keys. All of
> > this predates me and I do not know who has these
> keys. The scope of
> > trying to work with the owners of these keys to
> convert their
> > processes to to use kerberos would be a large
> effort. It was my hope
> > to use IPA / IDM to provide multi master DNS, with
> each server being a
> > SOA. But this becomes a lot less desirable as a
> solution if I have to
> > track down our key holders.
>
>
> You can keep using your TSIG keys with IPA if that is
> what you're
> looking for. Just declare your TSIG keys in your IPA
> dns "update-policy"
> just as you would do with plain bind:
>
> ipa dnszone-mod example.com --update-policy="grant
> key1. subdomain
> a.example.com.; grant key2. name b.example.com.;"
>
> Also in IPA every DNS presents a different SOA, each
> with the name of
> the server being queried, so it can be used as a true
> multimaster DNS
> solution.
>
> Hope this helps
>
>
>
> > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal
> <dpal at redhat.com> wrote:
> > On 05/13/2014 09:59 AM, Bob wrote:
> >
> > > Is there anyway to do a nsupdate of a DNS
> records in a IPA
> > > server using a TSIG key without having a
> kerberos ticket?
> > >
> > >
> > > We were going to swap out bind in favor of
> IPA, but we need
> > > to be able to nsupdates.
> > >
> > >
> > >
> >
> >
> > If you are using IPA you can give you
> clients keytabs.
> > It is all automatic with RHEL, Fedora,
> Centos for last 5
> > years. Enroll your clients using
> ipa-client-install.
> > If you have other operating systems some
> exploration would be
> > required but it should be doable too.
> >
> > >
> > > On Mon, May 12, 2014 at 10:11 AM, Bob
> <harvero at gmail.com>
> > > wrote:
> > > We use nsupdate to to move the
> location of some of
> > > our services around. For instance
> there might be two
> > > servers that exchange roles, like
> serv.east.abc.com
> > > and serv.west.abc.com and we will
> have a service
> > > name like wiki.abc.com. The owner
> of the application
> > > has been given an nsupdate key
> that allows them to
> > > update and delete on the the
> wiki.abc.com and have
> > > that records contain either an "A"
> record for one or
> > > the other of the two servers.
> > >
> > >
> > > I am very concerned that there
> might come a time
> > > when the SOA primary master server
> for this dynamic
> > > domain might be down when the
> application owner
> > > needs to do their nsupdate.
> > >
> > >
> > > One observation that we see is
> that Window AD and
> > > DNS make every AD DNS server an
> SOA for any domain
> > > that it servers. That any dynamic
> DNS update can be
> > > serviced by any Domain controller
> and that this
> > > update is replicated with LDAP to
> the other DCs.
> > >
> > >
> > > It was our hope that we could use
> IPA for our DNS
> > > servers for this dynamic domain.
> That we would have
> > > multiple forward statements from
> our main DNS
> > > servers to the IPA DNS servers and
> that any IPA
> > > server would be the SOA. This way
> the nsupdate would
> > > be processed by any available IPA
> server in the
> > > event that one or more of these
> IPA DNS servers
> > > would be down or unreachable.
> > >
> > >
> > > Is there a way to make each IPA
> system a SOA for the
> > > same domain and still have the DNS
> records replicate
> > > between them?
> > >
> > >
> > > thanks,
> > >
> > >
> > > Bob Harvey
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users at redhat.com
> > >
> https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
> >
> _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> >
> https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> >
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
>
> Loris Santamaria linux user #70506
> xmpp:loris at lgs.com.ve
> Links Global Services, C.A.
> http://www.lgs.com.ve
> Tel: 0286 952.06.87 Cel: 0414 095.00.10
> sip:103 at lgs.com.ve
> ------------------------------------------------------------
> "If I'd asked my customers what they wanted, they'd
> have said
> a faster horse" - Henry Ford
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140513/74760fed/attachment.bin>
More information about the Freeipa-users
mailing list