[Freeipa-users] dns stops working after upgrade

Petr Spacek pspacek at redhat.com
Wed Oct 29 13:50:49 UTC 2014 

On 29.10.2014 14:32, Rob Verduijn wrote:
> I've checked and I see a lot of objects representing my dns entries.
> Still I get no answers if i try to resolve any of them :(

Are you running ldapsearch with *exactly* same credentials as you have in 
/etc/named.conf?

Could you post dynamic-db section from your named.conf?

Petr^2 Spacek

> Rob
>
> 2014-10-29 13:28 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>
>> On 28.10.2014 18:42, Rob Verduijn wrote:
>>
>>> before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo
>>> after the update its 6.0-5.fc20.x86_64.rpm from copr repo
>>>
>>> Regards
>>> Rob
>>>
>>>
>>> 2014-10-28 17:58 GMT+01:00 Martin Basti <mbasti at redhat.com>:
>>>
>>>     On 28/10/14 16:10, Rob Verduijn wrote:
>>>>
>>>>    Hello all,
>>>>
>>>>    I've been digging into my problem of being unable to update from 3.3.5
>>>> to 4.1
>>>>
>>>>    First I add the repo from copr
>>>>
>>>>    Then  I used to update it by issueing 'yum update' which resulted in an
>>>> update in which my local dns zone entries no longer resolved.
>>>>
>>>>    So i tried the instructions mentioned on the site :
>>>> yum update freeipa-server
>>>> And this failed with a conflict in
>>>>
>>>>    bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
>>>> bind-utils-32:9.9.4-15.P2.fc20.x86_64
>>>>
>>>>    I noticed the new bind comes from the copr repo and the old bind utils
>>>> from fedora.
>>>>
>>>>    So I first run 'yum update bind-utils -y'
>>>> Then I ran yum update freeipa-server
>>>> and see it fail with errors about softhsm
>>>>
>>>>    I remembered reading about package errors with softhsm and installed
>>>> the
>>>> softhsm-devel package first.
>>>>
>>>>    so revert back the freeipa kvm snapshot to 3.3.5  and try again
>>>> yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update
>>>> freeipa-server -y
>>>>
>>>>    However when restarting named-pkcs11 I can see in the system log that
>>>> it
>>>> has 0 zones loaded
>>>>
>>>>    Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone:
>>>> loaded serial 0
>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN:
>>>> loaded serial 0
>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded
>>>> serial 0
>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
>>>> 1.0.0.127.in-addr.arpa/IN: loaded serial 0
>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
>>>> localhost.localdomain/IN: loaded serial 0
>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
>>>> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
>>>> 0.0.ip6.arpa/IN:
>>>> loaded serial 0
>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP
>>>> instance
>>>> 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)
>>>>
>>>>    It claims 0 zones loaded but I can see my forward and reverse zones in
>>>> ipa
>>>>
>>>>    what could cause it not to load the zones that I defined in ipa ?
>>>>
>>>
>> This problem is usually caused by broken IPA upgrade which destroys ACIs
>> in LDAP which allow access to DNS sub-tree.
>>
>> Please follow instructions on:
>>
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.
>> NozonesfromLDAPareloaded
>>
>> ... and let us know if you are able to see idnsZone objects in LDAP or not.


-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list