[Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
Petr Spacek
pspacek at redhat.com
Tue Jul 14 12:47:18 UTC 2015
On 14.7.2015 14:44, Sina Owolabi wrote:
> Thanks Petr.
>
> Can I assume that any fresh clients added to the IDM domain, is going
> to have both its forward and reverse records populated?
Yes, as long as your configuration conforms with
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR
Please let us know if you encounter any problems.
Petr^2 Spacek
> On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek <pspacek at redhat.com> wrote:
>> On 14.7.2015 10:28, Sina Owolabi wrote:
>>> Thanks Martin
>>>
>>>
>>> The expanded command shows all the output. Curiously, I still don't
>>> see any reverse addresses yet except on the reverse domain for this
>>> primary zone. Ive restarted the IPA servers in hopes of a Windows-y
>>> solution but it didn't help :-)
>>
>> SyncPTR does something only when the data change. I.e. it will do nothing if
>> your A/AAAA records are up to date (even if clients send update).
>>
>> I'm afraid that there is no pre-made tool to do the mass update, sorry. You
>> probably need to script something yourself.
>>
>> Petr^2 Spacek
>>
>>> output:
>>> ipa dnszone-show mydom.com --all
>>> dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com
>>> Zone name: mydom.com.
>>> Active zone: TRUE
>>> Authoritative nameserver: dc.mydom.com.
>>> Administrator e-mail address: hostmaster.mydom.com.
>>> SOA serial: 1436861122
>>> SOA refresh: 3600
>>> SOA retry: 900
>>> SOA expire: 1209600
>>> SOA minimum: 3600
>>> BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM
>>> krb5-self * AAAA; grant mydom.COM krb5-self * SSHFP;
>>> Dynamic update: TRUE
>>> Allow query: any;
>>> Allow transfer: none;
>>> Allow PTR sync: TRUE
>>> arecord: pu.bl.ic.add
>>> mxrecord: 0 mail.mydom.com.
>>> nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com.
>>> objectclass: idnszone, top, idnsrecord
>>>
>>> On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti <mbasti at redhat.com> wrote:
>>>> On 13/07/15 19:58, Sina Owolabi wrote:
>>>>>
>>>>> Hi Martin
>>>>>
>>>>> Yes all my sssd configs are set ipa_dyndns_update = True
>>>>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set
>>>>> them.
>>>>> I've tried to set it in the very first zone (setup during
>>>>> installation) but dnszone-mod complains:
>>>>>
>>>>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE
>>>>> ipa: ERROR: no modifications to be performed
>>>>>
>>>>> But I don't see it in the show command:
>>>>>
>>>>> ipa dnszone-show mydom.com
>>>>> Zone name: mydom.com.
>>>>> Active zone: TRUE
>>>>> Authoritative nameserver: services.mydom.com.
>>>>> Administrator e-mail address: hostmaster.mydom.com.
>>>>> SOA serial: 1436799166
>>>>> SOA refresh: 3600
>>>>> SOA retry: 900
>>>>> SOA expire: 1209600
>>>>> SOA minimum: 3600
>>>>> Allow query: any;
>>>>> Allow transfer: none;
>>>>
>>>> You must use option --all
>>>>
>>>> ipa dnszone-show mydom.com --all
>>>>
>>>>
>>>> Martin
>>>>
>>>>>
>>>>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti <mbasti at redhat.com> wrote:
>>>>>>
>>>>>> On 12/07/15 10:05, Sina Owolabi wrote:
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> I have several dns zones defined in IPA. I noticed recently that the
>>>>>>> zone files are empty. I find this odd because I created them like the
>>>>>>> example below.
>>>>>>> Is it possible to force clients to auto-update reverse zones?
>>>>>>>
>>>>>>> Thanks in advance!
>>>>>>>
>>>>>>> How I created all the zones:
>>>>>>>
>>>>>>> ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000
>>>>>>> --allow-sync-ptr=TRUE --dynamic-update
>>>>>>> Zone name: 0.14.10.in-addr.arpa.
>>>>>>> Active zone: TRUE
>>>>>>> Authoritative nameserver: services.ourdomain.com.
>>>>>>> Administrator e-mail address: hostmaster
>>>>>>> SOA serial: 1436688202
>>>>>>> SOA refresh: 3600
>>>>>>> SOA retry: 900
>>>>>>> SOA expire: 1209600
>>>>>>> SOA minimum: 3000
>>>>>>> BIND update policy: grant QRIOS.COM krb5-subdomain
>>>>>>> 0.14.10.in-addr.arpa. PTR;
>>>>>>> Dynamic update: TRUE
>>>>>>> Allow query: any;
>>>>>>> Allow transfer: none;
>>>>>>> Allow PTR sync: TRUE
>>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> do you have --allow-sync-ptr=True configured in zones where the
>>>>>> particular
>>>>>> A/AAAA records are?
>>>>>>
>>>>>> SSSD is able to update records.
>>>>>> Please check if "dyndns_update" is set to true in sssd.conf. (man
>>>>>> sssd-ipa)
More information about the Freeipa-users
mailing list