[Freeipa-users] Force IPA client Reverse Zone Dynamic Updates

Sina Owolabi notify.sina at gmail.com
Tue Jul 14 12:50:27 UTC 2015 

Thank you again.
The configuration does conform.

On Tue, Jul 14, 2015 at 1:47 PM, Petr Spacek <pspacek at redhat.com> wrote:
> On 14.7.2015 14:44, Sina Owolabi wrote:
>> Thanks Petr.
>>
>> Can I assume that any fresh clients added to the IDM domain, is going
>> to have both its forward and reverse records populated?
>
> Yes, as long as your configuration conforms with
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR
>
> Please let us know if you encounter any problems.
>
> Petr^2 Spacek
>
>> On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek <pspacek at redhat.com> wrote:
>>> On 14.7.2015 10:28, Sina Owolabi wrote:
>>>> Thanks Martin
>>>>
>>>>
>>>> The expanded command shows all the output. Curiously, I still don't
>>>> see any reverse addresses yet except on the reverse domain for this
>>>> primary zone. Ive restarted the IPA servers in hopes of a Windows-y
>>>> solution but it didn't help :-)
>>>
>>> SyncPTR does something only when the data change. I.e. it will do nothing if
>>> your A/AAAA records are up to date (even if clients send update).
>>>
>>> I'm afraid that there is no pre-made tool to do the mass update, sorry. You
>>> probably need to script something yourself.
>>>
>>> Petr^2 Spacek
>>>
>>>> output:
>>>> ipa dnszone-show mydom.com --all
>>>>   dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com
>>>>   Zone name: mydom.com.
>>>>   Active zone: TRUE
>>>>   Authoritative nameserver: dc.mydom.com.
>>>>   Administrator e-mail address: hostmaster.mydom.com.
>>>>   SOA serial: 1436861122
>>>>   SOA refresh: 3600
>>>>   SOA retry: 900
>>>>   SOA expire: 1209600
>>>>   SOA minimum: 3600
>>>>   BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM
>>>> krb5-self * AAAA; grant mydom.COM krb5-self * SSHFP;
>>>>   Dynamic update: TRUE
>>>>   Allow query: any;
>>>>   Allow transfer: none;
>>>>   Allow PTR sync: TRUE
>>>>   arecord: pu.bl.ic.add
>>>>   mxrecord: 0 mail.mydom.com.
>>>>   nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com.
>>>>   objectclass: idnszone, top, idnsrecord
>>>>
>>>> On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti <mbasti at redhat.com> wrote:
>>>>> On 13/07/15 19:58, Sina Owolabi wrote:
>>>>>>
>>>>>> Hi Martin
>>>>>>
>>>>>> Yes all my sssd configs are set ipa_dyndns_update = True
>>>>>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set
>>>>>> them.
>>>>>> I've tried to set it in the very first zone (setup during
>>>>>> installation) but dnszone-mod complains:
>>>>>>
>>>>>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE
>>>>>> ipa: ERROR: no modifications to be performed
>>>>>>
>>>>>> But I don't see it in the show command:
>>>>>>
>>>>>>   ipa dnszone-show mydom.com
>>>>>>    Zone name: mydom.com.
>>>>>>    Active zone: TRUE
>>>>>>    Authoritative nameserver: services.mydom.com.
>>>>>>    Administrator e-mail address: hostmaster.mydom.com.
>>>>>>    SOA serial: 1436799166
>>>>>>    SOA refresh: 3600
>>>>>>    SOA retry: 900
>>>>>>    SOA expire: 1209600
>>>>>>    SOA minimum: 3600
>>>>>>    Allow query: any;
>>>>>>    Allow transfer: none;
>>>>>
>>>>> You must use option --all
>>>>>
>>>>> ipa dnszone-show mydom.com --all
>>>>>
>>>>>
>>>>> Martin
>>>>>
>>>>>>
>>>>>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti <mbasti at redhat.com> wrote:
>>>>>>>
>>>>>>> On 12/07/15 10:05, Sina Owolabi wrote:
>>>>>>>>
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> I have several dns zones defined in IPA. I noticed recently that the
>>>>>>>> zone files are empty. I find this odd because I created them like the
>>>>>>>> example below.
>>>>>>>> Is it possible to force clients to auto-update reverse zones?
>>>>>>>>
>>>>>>>> Thanks in advance!
>>>>>>>>
>>>>>>>> How I created all the zones:
>>>>>>>>
>>>>>>>>    ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000
>>>>>>>> --allow-sync-ptr=TRUE --dynamic-update
>>>>>>>>     Zone name: 0.14.10.in-addr.arpa.
>>>>>>>>     Active zone: TRUE
>>>>>>>>     Authoritative nameserver: services.ourdomain.com.
>>>>>>>>     Administrator e-mail address: hostmaster
>>>>>>>>     SOA serial: 1436688202
>>>>>>>>     SOA refresh: 3600
>>>>>>>>     SOA retry: 900
>>>>>>>>     SOA expire: 1209600
>>>>>>>>     SOA minimum: 3000
>>>>>>>>     BIND update policy: grant QRIOS.COM krb5-subdomain
>>>>>>>> 0.14.10.in-addr.arpa. PTR;
>>>>>>>>     Dynamic update: TRUE
>>>>>>>>     Allow query: any;
>>>>>>>>     Allow transfer: none;
>>>>>>>>     Allow PTR sync: TRUE
>>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> do you have --allow-sync-ptr=True configured in zones where the
>>>>>>> particular
>>>>>>> A/AAAA records are?
>>>>>>>
>>>>>>> SSSD is able to update records.
>>>>>>> Please check if "dyndns_update" is set to true in sssd.conf. (man
>>>>>>> sssd-ipa)

More information about the Freeipa-users mailing list