[Freeipa-users] Dns SOA MNAME not resolving from LDAP data

Martin Basti mbasti at redhat.com
Thu Aug 20 12:32:00 UTC 2015 

On 08/20/2015 02:22 PM, Martin Basti wrote:
>
>
> On 08/20/2015 01:48 PM, David Dejaeghere wrote:
>> Hi,
>>
>> I noticed that changing the authoritarive nameserver in FreeIPA 
>> reflects correctly to its directory data but bind will not resolve 
>> the soa record with the updated mname details.
>>
>> For example I add a zone test.be <http://test.be> and change the 
>> mname record.
>>
>> [root at ns02 ~]# ipa dnszone-add
>> Zone name: test.be <http://test.be>
>>   Zone name: test.be <http://test.be>.
>>   Active zone: TRUE
>> *  Authoritative nameserver: ns02.tokiogroup.be 
>> <http://ns02.tokiogroup.be>.*
>>   Administrator e-mail address: hostmaster
>>   SOA serial: 1440070999
>>   SOA refresh: 3600
>>   SOA retry: 900
>>   SOA expire: 1209600
>>   SOA minimum: 3600
>>   BIND update policy: grant TOKIOGROUP.BE <http://TOKIOGROUP.BE> 
>> krb5-self * A; grant TOKIOGROUP.BE <http://TOKIOGROUP.BE> krb5-self * 
>> AAAA; grant TOKIOGROUP.BE <http://TOKIOGROUP.BE> krb5-self *
>>                       SSHFP;
>>   Dynamic update: FALSE
>>   Allow query: any;
>>   Allow transfer: none;
>> [root at ns02 ~]# ipa dnszone-mod --nameserver
>> anaconda-ks.cfg  .bash_logout     .bashrc .ipa/            .ssh/
>> .bash_history    .bash_profile    .cshrc .pki/            .tcshrc
>>
>>
>> [root at ns02 ~]# ipa dnszone-mod --name-server*ns7.tokiogroup.be 
>> <http://ns7.tokiogroup.be>*.
>> Zone name: test.be <http://test.be>
>> ipa: WARNING: Semantic of setting Authoritative nameserver was 
>> changed. It is used only for setting the SOA MNAME attribute.
>> NS record(s) can be edited in zone apex - '@'.
>>   Zone name: test.be <http://test.be>.
>>   Active zone: TRUE
>> *Authoritative nameserver: ns7.tokiogroup.be <http://ns7.tokiogroup.be>.*
>>   Administrator e-mail address: hostmaster
>>   SOA serial: 1440071001
>>   SOA refresh: 3600
>>   SOA retry: 900
>>   SOA expire: 1209600
>>   SOA minimum: 3600
>>   Allow query: any;
>>   Allow transfer: none;
>>
>>
>> [root at ns02 ~]# nslookup
>> > set q=SOA
>> > test.be <http://test.be>
>> Server:         127.0.0.1
>> Address:        127.0.0.1#53
>>
>> test.be <http://test.be>
>> *origin = ns02.tokiogroup.be <http://ns02.tokiogroup.be>*
>>         mail addr = hostmaster.test.be <http://hostmaster.test.be>
>>         serial = 1440071001
>>         refresh = 3600
>>         retry = 900
>>         expire = 1209600
>>         minimum = 3600
>>
>> As you can see the SOA record still shows the original default value.
>>
>> Kind Regards,
>>
>> David Dejaeghere
>>
>>
>
> Thank you for this bug report.
> I opened bind-dyndb-ldap ticket 
> https://fedorahosted.org/bind-dyndb-ldap/ticket/159
>
> Martin
>
>
I maybe found why do you have this issue,

do you have fake_mname configured in bind_dyndb_ldap section of named.conf?
If yes then remove this option to use SOA MNAME from LDAP.

Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150820/a129207b/attachment.htm>

More information about the Freeipa-users mailing list