[Freeipa-users] Errors while adding DNS Zone

Petr Spacek pspacek at redhat.com
Tue Mar 10 08:35:46 UTC 2015 

Hello!

First of all, what version of FreeIPA do you use? FreeIPA 4.1.what?

On 9.3.2015 19:18, Matt Wells wrote:
> I'm getting some errors on a DNS Zone that I'm attempting to create.
> My systems reside within a sub-domain of example.com.
> (xyz.example.com)
> Of course example.com is the internet address, but I want to host the
> internal example.com so we're able to point to internal intranets and
> so on.
> 
> So to the good stuff
> Regardless of what flags I give, what NS records I change, the NS
> never actually set.  I know it's something silly that I'm overlooking
> but would really love other eyes.
> 
> I go to create the zone on server2.
> [root at server2 html]# ipa dnszone-add example.com
>   Zone name: example.com.
>   Active zone: TRUE
>   Authoritative nameserver: server2.xyz.example.com.

One important note: Field 'Authoritative nameserver' shows only the SOA MNAME
value and is not related at all to NS records in the zone.

Use
$ ipa dnsrecord-show example.com. @
to see NS records in zone apex.

> Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone
> example.com/IN: NS 'server2.xyz.example.com' has no address records (A
> or AAAA)
> Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone
> example.com/IN: NS 'server1.xyz.example.com' has no address records (A
> or AAAA)
> Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone
> example.com/IN: not loaded due to errors.
> Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]:
> update_zone (syncrepl) failed for
> 'idnsname=example.com.,cn=dns,dc=xyz,dc=example,dc=com'. Zones can be
> outdated, run `rndc reload`: bad zone

At this point we need to know more information:

a) You have to add glue records for names listed in example.com NS records. It
is not obvious if you did that or not:
$ ipa dnsrecord-add example.com server1.xyz --a-rec=192.0.2.1
$ ipa dnsrecord-add example.com server2.xyz --a-rec=192.0.2.2

b) If xyz.example.com is a sub-zone you have to add NS records/delegation for
it (even if it is hosted on the same server!):
$  ipa dnsrecord-add example.com xyz --ns-rec=server1.xyz.example.com.
$  ipa dnsrecord-add example.com xyz --ns-rec=server2.xyz.example.com.

Do not forget to change names in NS records if the sub-zone is hosted on
different servers.

I hope this helps. Have a nice day!

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list