[Freeipa-users] Force IPA client Reverse Zone Dynamic Updates

Tue Jul 14 12:44:36 UTC 2015

Thanks Petr.

Can I assume that any fresh clients added to the IDM domain, is going
to have both its forward and reverse records populated?

On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek <pspacek at redhat.com> wrote:
> On 14.7.2015 10:28, Sina Owolabi wrote:
>> Thanks Martin
>>
>>
>> The expanded command shows all the output. Curiously, I still don't
>> see any reverse addresses yet except on the reverse domain for this
>> primary zone. Ive restarted the IPA servers in hopes of a Windows-y
>> solution but it didn't help :-)
>
> SyncPTR does something only when the data change. I.e. it will do nothing if
> your A/AAAA records are up to date (even if clients send update).
>
> I'm afraid that there is no pre-made tool to do the mass update, sorry. You
> probably need to script something yourself.
>
> Petr^2 Spacek
>
>> output:
>> ipa dnszone-show mydom.com --all
>>   dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com
>>   Zone name: mydom.com.
>>   Active zone: TRUE
>>   Authoritative nameserver: dc.mydom.com.
>>   Administrator e-mail address: hostmaster.mydom.com.
>>   SOA serial: 1436861122
>>   SOA refresh: 3600
>>   SOA retry: 900
>>   SOA expire: 1209600
>>   SOA minimum: 3600
>>   BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM
>> krb5-self * AAAA; grant mydom.COM krb5-self * SSHFP;
>>   Dynamic update: TRUE
>>   Allow query: any;
>>   Allow transfer: none;
>>   Allow PTR sync: TRUE
>>   arecord: pu.bl.ic.add
>>   mxrecord: 0 mail.mydom.com.
>>   nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com.
>>   objectclass: idnszone, top, idnsrecord
>>
>> On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti <mbasti at redhat.com> wrote:
>>> On 13/07/15 19:58, Sina Owolabi wrote:
>>>>
>>>> Hi Martin
>>>>
>>>> Yes all my sssd configs are set ipa_dyndns_update = True
>>>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set
>>>> them.
>>>> I've tried to set it in the very first zone (setup during
>>>> installation) but dnszone-mod complains:
>>>>
>>>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE
>>>> ipa: ERROR: no modifications to be performed
>>>>
>>>> But I don't see it in the show command:
>>>>
>>>>   ipa dnszone-show mydom.com
>>>>    Zone name: mydom.com.
>>>>    Active zone: TRUE
>>>>    Authoritative nameserver: services.mydom.com.
>>>>    Administrator e-mail address: hostmaster.mydom.com.
>>>>    SOA serial: 1436799166
>>>>    SOA refresh: 3600
>>>>    SOA retry: 900
>>>>    SOA expire: 1209600
>>>>    SOA minimum: 3600
>>>>    Allow query: any;
>>>>    Allow transfer: none;
>>>
>>> You must use option --all
>>>
>>> ipa dnszone-show mydom.com --all
>>>
>>>
>>> Martin
>>>
>>>>
>>>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti <mbasti at redhat.com> wrote:
>>>>>
>>>>> On 12/07/15 10:05, Sina Owolabi wrote:
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> I have several dns zones defined in IPA. I noticed recently that the
>>>>>> zone files are empty. I find this odd because I created them like the
>>>>>> example below.
>>>>>> Is it possible to force clients to auto-update reverse zones?
>>>>>>
>>>>>> Thanks in advance!
>>>>>>
>>>>>> How I created all the zones:
>>>>>>
>>>>>>    ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000
>>>>>> --allow-sync-ptr=TRUE --dynamic-update
>>>>>>     Zone name: 0.14.10.in-addr.arpa.
>>>>>>     Active zone: TRUE
>>>>>>     Authoritative nameserver: services.ourdomain.com.
>>>>>>     Administrator e-mail address: hostmaster
>>>>>>     SOA serial: 1436688202
>>>>>>     SOA refresh: 3600
>>>>>>     SOA retry: 900
>>>>>>     SOA expire: 1209600
>>>>>>     SOA minimum: 3000
>>>>>>     BIND update policy: grant QRIOS.COM krb5-subdomain
>>>>>> 0.14.10.in-addr.arpa. PTR;
>>>>>>     Dynamic update: TRUE
>>>>>>     Allow query: any;
>>>>>>     Allow transfer: none;
>>>>>>     Allow PTR sync: TRUE
>>>>>>
>>>>> Hello,
>>>>>
>>>>> do you have --allow-sync-ptr=True configured in zones where the
>>>>> particular
>>>>> A/AAAA records are?
>>>>>
>>>>> SSSD is able to update records.
>>>>> Please check if "dyndns_update" is set to true in sssd.conf. (man
>>>>> sssd-ipa)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project