[Freeipa-users] FreeIPA bind also-notify behavior.
Petr Spacek
pspacek at redhat.com
Wed Sep 3 07:25:15 UTC 2014
On 1.9.2014 12:16, Dmitri Pal wrote:
> On 09/01/2014 12:05 PM, Martin Kosek wrote:
>> On 09/01/2014 07:50 AM, Dmitri Pal wrote:
>>> On 08/29/2014 09:32 PM, Matthew Sellers wrote:
>>>> Hi Everyone!
>>>>
>>>> I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure FreeIPA to
>>>> send notifies to non-IPA slaves, but it seems broken on IPA ( notify packets
>>>> are never sent to to slaves ).
>>>>
>>>> I have configured also-notify { nameserverip; }; in named.conf on my FreeIPA
>>>> test host in the options section and watched for notify traffic with tcpdump.
>>>>
>>>> This document suggests that this is supported, and this is something I have
>>>> used in non-IPA bind servers with no issues.
>>>>
>>>> https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer
>>>>
>>>> I wanted to ask the list before I file a bug with more details. Is anyone
>>>> using this bind feature on IPA with any success?
>>>>
>>>> Thanks!
>>>> Matt
>>>>
>>>>
>>> The DNS level change propagation is not supported between IPA replicas instead
>>> it uses LDAP replication to propagate the changes.
>>> If you want another non IPA DNS server to be a slave then you can do it. See
>>> http://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation for more
>>> information.
>> I thought that from F20, bind-dyndb-ldap was capable of native DNS operations
>> like AXFR/IXFR which can be used to actually deploy slave DNS servers. I wonder
>> if also-notify is something different. CCing Petr Spacek to advise.
> AFAIU slave DNS servers not controlled by IPA yes, replicas as slaves - no.
Let me summarize:
- AXFR is supported (at least) by all versions RHEL 6.5 and newer versions
- IXFR is supported by bind-dyndb-ldap 4.0 and newer (Fedora 20+)
- DNS NOTIFY messages are always sent to servers listed in NS records
I.e. you have to add your non-IPA slave servers to NS records in particular
zone and then it should 'just work', no other configuration (like
'also-notify') is necessary.
Please let me know if it doesn't work for you.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list