[Freeipa-users] Force IPA client Reverse Zone Dynamic Updates

Petr Spacek pspacek at redhat.com
Tue Jul 14 12:47:18 UTC 2015 

On 14.7.2015 14:44, Sina Owolabi wrote:
> Thanks Petr.
> 
> Can I assume that any fresh clients added to the IDM domain, is going
> to have both its forward and reverse records populated?

Yes, as long as your configuration conforms with
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR

Please let us know if you encounter any problems.

Petr^2 Spacek

> On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek <pspacek at redhat.com> wrote:
>> On 14.7.2015 10:28, Sina Owolabi wrote:
>>> Thanks Martin
>>>
>>>
>>> The expanded command shows all the output. Curiously, I still don't
>>> see any reverse addresses yet except on the reverse domain for this
>>> primary zone. Ive restarted the IPA servers in hopes of a Windows-y
>>> solution but it didn't help :-)
>>
>> SyncPTR does something only when the data change. I.e. it will do nothing if
>> your A/AAAA records are up to date (even if clients send update).
>>
>> I'm afraid that there is no pre-made tool to do the mass update, sorry. You
>> probably need to script something yourself.
>>
>> Petr^2 Spacek
>>
>>> output:
>>> ipa dnszone-show mydom.com --all
>>>   dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com
>>>   Zone name: mydom.com.
>>>   Active zone: TRUE
>>>   Authoritative nameserver: dc.mydom.com.
>>>   Administrator e-mail address: hostmaster.mydom.com.
>>>   SOA serial: 1436861122
>>>   SOA refresh: 3600
>>>   SOA retry: 900
>>>   SOA expire: 1209600
>>>   SOA minimum: 3600
>>>   BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM
>>> krb5-self * AAAA; grant mydom.COM krb5-self * SSHFP;
>>>   Dynamic update: TRUE
>>>   Allow query: any;
>>>   Allow transfer: none;
>>>   Allow PTR sync: TRUE
>>>   arecord: pu.bl.ic.add
>>>   mxrecord: 0 mail.mydom.com.
>>>   nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com.
>>>   objectclass: idnszone, top, idnsrecord
>>>
>>> On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti <mbasti at redhat.com> wrote:
>>>> On 13/07/15 19:58, Sina Owolabi wrote:
>>>>>
>>>>> Hi Martin
>>>>>
>>>>> Yes all my sssd configs are set ipa_dyndns_update = True
>>>>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set
>>>>> them.
>>>>> I've tried to set it in the very first zone (setup during
>>>>> installation) but dnszone-mod complains:
>>>>>
>>>>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE
>>>>> ipa: ERROR: no modifications to be performed
>>>>>
>>>>> But I don't see it in the show command:
>>>>>
>>>>>   ipa dnszone-show mydom.com
>>>>>    Zone name: mydom.com.
>>>>>    Active zone: TRUE
>>>>>    Authoritative nameserver: services.mydom.com.
>>>>>    Administrator e-mail address: hostmaster.mydom.com.
>>>>>    SOA serial: 1436799166
>>>>>    SOA refresh: 3600
>>>>>    SOA retry: 900
>>>>>    SOA expire: 1209600
>>>>>    SOA minimum: 3600
>>>>>    Allow query: any;
>>>>>    Allow transfer: none;
>>>>
>>>> You must use option --all
>>>>
>>>> ipa dnszone-show mydom.com --all
>>>>
>>>>
>>>> Martin
>>>>
>>>>>
>>>>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti <mbasti at redhat.com> wrote:
>>>>>>
>>>>>> On 12/07/15 10:05, Sina Owolabi wrote:
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> I have several dns zones defined in IPA. I noticed recently that the
>>>>>>> zone files are empty. I find this odd because I created them like the
>>>>>>> example below.
>>>>>>> Is it possible to force clients to auto-update reverse zones?
>>>>>>>
>>>>>>> Thanks in advance!
>>>>>>>
>>>>>>> How I created all the zones:
>>>>>>>
>>>>>>>    ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000
>>>>>>> --allow-sync-ptr=TRUE --dynamic-update
>>>>>>>     Zone name: 0.14.10.in-addr.arpa.
>>>>>>>     Active zone: TRUE
>>>>>>>     Authoritative nameserver: services.ourdomain.com.
>>>>>>>     Administrator e-mail address: hostmaster
>>>>>>>     SOA serial: 1436688202
>>>>>>>     SOA refresh: 3600
>>>>>>>     SOA retry: 900
>>>>>>>     SOA expire: 1209600
>>>>>>>     SOA minimum: 3000
>>>>>>>     BIND update policy: grant QRIOS.COM krb5-subdomain
>>>>>>> 0.14.10.in-addr.arpa. PTR;
>>>>>>>     Dynamic update: TRUE
>>>>>>>     Allow query: any;
>>>>>>>     Allow transfer: none;
>>>>>>>     Allow PTR sync: TRUE
>>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> do you have --allow-sync-ptr=True configured in zones where the
>>>>>> particular
>>>>>> A/AAAA records are?
>>>>>>
>>>>>> SSSD is able to update records.
>>>>>> Please check if "dyndns_update" is set to true in sssd.conf. (man
>>>>>> sssd-ipa)

More information about the Freeipa-users mailing list