[Freeipa-users] Could not update DNSSSHFP records when joining domain

Martin Kosek mkosek at redhat.com
Fri Jun 5 06:27:37 UTC 2015 

On 06/05/2015 12:27 AM, nathan at nathanpeters.com wrote:
>>> I am running FreeIPA 4.1.3 on CentOS7.
>>>
>>> I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42.
>>>
>>> The client hostname is ipaclient.login.mydomain.net.
>>>
>>> The FreeIPA domain is mydomain.net.
>>>
>>> This post here :
>>> https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html
>>> states that making all dns entries into a single zone rather than having
>>> a
>>> separate zone for login.mydomain.net is a perfectly acceptable design
>>> choice.
>>>
>>> However, an issue occurs when joining the client.  It joins to the
>>> domain
>>> fine and creates the initial DNS A entry, but then according to the
>>> logs,
>>> when it goes to update the DNSSSHFP records, it fails because it tries
>>> to
>>> update the nonexistent zone login.mydomain.net instead of just updating
>>> mydomain.net. To be clear, the SSH host keys are in the client record so
>>> the only issue is with adding them to DNS
>>>
>>> Here are the relevant log entries generated with ipa-client-install:
>>>
>>> 2015-06-03T16:11:12Z DEBUG stderr=
>>> 2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to
>>> /etc/ipa/.dns_update.txt:
>>> 2015-06-03T16:11:12Z DEBUG zone login.mydomain.net.
>>> update delete ipaclient.login.mydomain.net. IN SSHFP
>>> send
>>> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1
>>> 1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60
>>> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1
>>> 11D3F076F616F02AD74BFF4D48E8BBA239063E8F
>>> send
>>>
>>> 2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g
>>> /etc/ipa/.dns_update.txt
>>> 2015-06-03T16:11:13Z DEBUG stdout=
>>> 2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH
>>> update failed: NOTAUTH
>>>
>>> 2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
>>> -g
>>> /etc/ipa/.dns_update.txt' returned non-zero exit status 2
>>> 2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records.
>>>
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>> Here are some more entries from /var/named/data/named.run.
>>
>> You'll notice in the first set of entries, I added the hosts with the
>> incorrect subdomain set and it worked fine.
>>
>> In the second set, I gave the correct hostnames and even though it claims
>> it's still trying to update the mydomain.net file it says it's not
>> authorized.  I am thoroughly confused by this behavior.
>>
>> successful
>> ----------
>> 01-Jun-2015 18:36:04.580 client 10.21.5.206#40096/key
>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone
>> 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' A
>> 01-Jun-2015 18:36:04.590 client 10.21.5.206#34641/key
>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone
>> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' A
>> 01-Jun-2015 18:36:25.582 client 10.21.5.206#49800/key
>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone
>> 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' SSHFP
>> 01-Jun-2015 18:36:25.595 client 10.21.5.206#34081/key
>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone
>> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP
>> 01-Jun-2015 18:36:26.363 client 10.21.5.206#34081/key
>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone
>> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP
>>
>> unsuccessful
>> ------------
>> 03-Jun-2015 16:10:56.407 client 10.21.5.206#52739/key
>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone
>> 'mydomain.net/IN': update failed: not authoritative for update zone
>> (NOTAUTH)
>> 03-Jun-2015 16:10:56.420 client 10.21.5.206#50551/key
>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone
>> 'mydomain.net/IN': update failed: not authoritative for update zone
>> (NOTAUTH)
>> 03-Jun-2015 16:11:12.993 client 10.21.5.206#39633/key
>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone
>> 'mydomain.net/IN': update failed: not authoritative for update zone
>> (NOTAUTH)
>> 03-Jun-2015 16:11:13.005 client 10.21.5.206#50415/key
>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone
>> 'mydomain.net/IN': update failed: not authoritative for update zone
>> (NOTAUTH)
>>
>>
>>
>
> So can anyone at least tell me whether it is intended that you have to
> create a separate DNS subdomain rather than one big domain file in order
> to get DNSSSHFP records to save or is that a bug and you should be able to
> just have one large domain and not break out the subdomains?

I thought it is not needed to create subdomains in order for nsupdate to work. 
Maybe it is a Update policy thing? Petr, do you know?

More information about the Freeipa-users mailing list