[Freeipa-users] Dns SOA MNAME not resolving from LDAP data
David Dejaeghere
david.dejaeghere at gmail.com
Thu Aug 20 13:14:43 UTC 2015
The reason I hit this issue was because I am testing out a setup where ldap
etc are running on a private subnet but is hosting public zones.
Therefor I change the nameservers of these zones and the primary nameserver
soa record to a public reachable hostname.
I agree this is no issue for the majority of users.
There already is a warning in the UI and IPA CLI. It might be good to add
an extra line to this warning regarding the fake_mname, altought this might
also cause confusion.
Regards,
David
2015-08-20 15:09 GMT+02:00 Martin Basti <mbasti at redhat.com>:
>
>
> On 08/20/2015 02:46 PM, David Dejaeghere wrote:
>
> confirmed working.
> Does this default value make any sense if this value is changeable in the
> UI and using the IPA client?
>
> Kind Regards,
>
> David
>
>
> IMHO (I'm not 100% sure)
>
> IPA DNS are master servers, which contains only authoritative zones.
> Each DNS server contains the same copy of zones synchronized with LDAP
> database, and each server is authoritative for that zone (multimaster DNS
> topology).
> So there is no reason to have listed different server than IPA DNS as
> authoritative servers.
>
> This works for majority users.
>
> This also works as fallback (on local network only without caching) when
> one replica is down, the one of IPA DNS servers left, may act as
> authoritative servers (primary master for DDNS).
>
> I agree that this is tricky (I forgot about fake_mname too) for users who
> want to change it, we may show warning for user or somehow let him know
> that fake_mname is used.
>
> Martin
>
>
> 2015-08-20 14:38 GMT+02:00 Martin Basti <mbasti at redhat.com>:
>
>>
>>
>> On 08/20/2015 02:35 PM, David Dejaeghere wrote:
>>
>> Aha,
>>
>> Correct. But i never set this. This option seems to be set by default.
>> I verified this issue on multiple installs. It seems they all have this
>> option set by default?
>>
>> Can i safely change named.conf without fearing my modifications will be
>> lost on an update?
>>
>> Kind Regards,
>>
>> David
>>
>> (Adding freeipa-users back)
>>
>> I checked code, it is default.
>>
>> You can change named.conf, upgrade will not replace it.
>>
>> Martin
>>
>>
>> 2015-08-20 14:32 GMT+02:00 Martin Basti < <mbasti at redhat.com>
>> mbasti at redhat.com>:
>>
>>>
>>> On 08/20/2015 02:22 PM, Martin Basti wrote:
>>>
>>>
>>>
>>> On 08/20/2015 01:48 PM, David Dejaeghere wrote:
>>>
>>> Hi,
>>>
>>> I noticed that changing the authoritarive nameserver in FreeIPA reflects
>>> correctly to its directory data but bind will not resolve the soa record
>>> with the updated mname details.
>>>
>>> For example I add a zone test.be and change the mname record.
>>>
>>> [root at ns02 ~]# ipa dnszone-add
>>> Zone name: test.be
>>> Zone name: test.be.
>>> Active zone: TRUE
>>> * Authoritative nameserver: ns02.tokiogroup.be
>>> <http://ns02.tokiogroup.be>.*
>>> Administrator e-mail address: hostmaster
>>> SOA serial: 1440070999
>>> SOA refresh: 3600
>>> SOA retry: 900
>>> SOA expire: 1209600
>>> SOA minimum: 3600
>>> BIND update policy: grant TOKIOGROUP.BE krb5-self * A; grant
>>> TOKIOGROUP.BE krb5-self * AAAA; grant TOKIOGROUP.BE krb5-self *
>>> SSHFP;
>>> Dynamic update: FALSE
>>> Allow query: any;
>>> Allow transfer: none;
>>> [root at ns02 ~]# ipa dnszone-mod --nameserver
>>> anaconda-ks.cfg .bash_logout .bashrc .ipa/ .ssh/
>>> .bash_history .bash_profile .cshrc .pki/
>>> .tcshrc
>>>
>>>
>>> [root at ns02 ~]# ipa dnszone-mod --name-server* ns7.tokiogroup.be
>>> <http://ns7.tokiogroup.be>*.
>>> Zone name: test.be
>>> ipa: WARNING: Semantic of setting Authoritative nameserver was changed.
>>> It is used only for setting the SOA MNAME attribute.
>>> NS record(s) can be edited in zone apex - '@'.
>>> Zone name: test.be.
>>> Active zone: TRUE
>>> *Authoritative nameserver: ns7.tokiogroup.be
>>> <http://ns7.tokiogroup.be>.*
>>> Administrator e-mail address: hostmaster
>>> SOA serial: 1440071001
>>> SOA refresh: 3600
>>> SOA retry: 900
>>> SOA expire: 1209600
>>> SOA minimum: 3600
>>> Allow query: any;
>>> Allow transfer: none;
>>>
>>>
>>> [root at ns02 ~]# nslookup
>>> > set q=SOA
>>> > test.be
>>> Server: 127.0.0.1
>>> Address: 127.0.0.1#53
>>>
>>> test.be
>>> * origin = ns02.tokiogroup.be <http://ns02.tokiogroup.be>*
>>> mail addr = hostmaster.test.be
>>> serial = 1440071001
>>> refresh = 3600
>>> retry = 900
>>> expire = 1209600
>>> minimum = 3600
>>>
>>> As you can see the SOA record still shows the original default value.
>>>
>>> Kind Regards,
>>>
>>> David Dejaeghere
>>>
>>>
>>>
>>> Thank you for this bug report.
>>> I opened bind-dyndb-ldap ticket
>>> <https://fedorahosted.org/bind-dyndb-ldap/ticket/159>
>>> https://fedorahosted.org/bind-dyndb-ldap/ticket/159
>>>
>>> Martin
>>>
>>>
>>> I maybe found why do you have this issue,
>>>
>>> do you have fake_mname configured in bind_dyndb_ldap section of
>>> named.conf?
>>> If yes then remove this option to use SOA MNAME from LDAP.
>>>
>>> Martin
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150820/30230a2f/attachment.htm>
More information about the Freeipa-users
mailing list