[Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
Andrey Ptashnik
APtashnik at cccis.com
Tue May 5 20:01:05 UTC 2015
I did notice the same behavior.
This is my setup:
[root at ipa-idm]# yum list installed ipa-*
Installed Packages
ipa-admintools.x86_64
4.1.0-18.el7_1.3
@rhui-REGION-rhel-server-releases
ipa-client.x86_64
4.1.0-18.el7_1.3
@rhui-REGION-rhel-server-releases
ipa-python.x86_64
4.1.0-18.el7_1.3
@rhui-REGION-rhel-server-releases
ipa-server.x86_64
4.1.0-18.el7_1.3
@rhui-REGION-rhel-server-releases
[root at ipa-idm]# yum list installed bind*
Installed Packages
bind.x86_64
32:9.9.4-18.el7_1.1
@rhui-REGION-rhel-server-releases
bind-dyndb-ldap.x86_64
6.0-2.el7
@rhui-REGION-rhel-server-releases
bind-libs.x86_64
32:9.9.4-18.el7_1.1
@rhui-REGION-rhel-server-releases
bind-libs-lite.x86_64
32:9.9.4-18.el7_1.1
@rhui-REGION-rhel-server-releases
bind-license.noarch
32:9.9.4-18.el7_1.1
@rhui-REGION-rhel-server-releases
bind-utils.x86_64
32:9.9.4-18.el7_1.1
@rhui-REGION-rhel-server-releases
In my setup slaves are various DNS servers including Win2k3, Win2k8 and
Bind that I don’t have access to, but according to IPA server logs they
don’t receive “NOTIFY” messages OR IPA server does not send them to slaves.
Regards,
Andrey
On 5/4/15, 10:24 PM, "nathan at nathanpeters.com" <nathan at nathanpeters.com>
wrote:
>freeipa-admintools.x86_64 4.1.4-1.el7.centos
>@mkosek-freeipa
>freeipa-client.x86_64 4.1.4-1.el7.centos
>@mkosek-freeipa
>freeipa-python.x86_64 4.1.4-1.el7.centos
>@mkosek-freeipa
>freeipa-server.x86_64 4.1.4-1.el7.centos
>@mkosek-freeipa
>freeipa-server-trust-ad.x86_64 4.1.4-1.el7.centos
>@mkosek-freeipa
>
>bind.x86_64 32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-dyndb-ldap.x86_64 6.1-1.el7.centos
>@mkosek-freeipa
>bind-libs.x86_64 32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-libs-lite.x86_64 32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-license.noarch 32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-pkcs11.x86_64 32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-pkcs11-libs.x86_64 32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-pkcs11-utils.x86_64 32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>
>And for reference here are the relevant A and NS records from my domain
>
>@ NS dc1.mydomain.net.
>@ NS dc2.mydomain.net.
>@ NS dns1.mydomain.net.
>dns1 A 10.21.0.14
>
>> Hello!
>>
>> On 2.5.2015 17:12, Nathan Peters wrote:
>>> The last 3 sentences of my original post refer to me adding the NS
>>> records for
>>> the slave. Is that what you mean?
>>>
>>> "I have also ensured that the slave hostname and IP are in FreeIPA DNS.
>>> I
>>> have also added an NS entry pointing to the slave."
>>
>> Which version of FreeIPA and bind-dyndb-ldap are you using?
>>
>> I will look into it.
>>
>> Petr^2 Spacek
>>
>>
>>> -----Original Message----- From: Baird, Josh
>>> Sent: Saturday, May 02, 2015 7:33 AM
>>> To: 'nathan at nathanpeters.com' ; freeipa-users at redhat.com
>>> Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being
>>> sent to
>>> slaves
>>>
>>> Is the PowerDNS slave in the NS RRSet for the IPA domain?
>>> Unfortuantely,
>>> bind-dyndb-ldap does not support 'also-notify' which would allow us to
>>> send
>>> notifies each time a zone update occurs to slave servers that are not
>>>in
>>> the
>>> RRSet [1]. To compensate for this in my environment, I had to lower
>>>the
>>> 'refresh' timer on the IPA zone.
>>>
>>> [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152
>>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of
>>> nathan at nathanpeters.com
>>> Sent: Friday, May 1, 2015 8:20 PM
>>> To: freeipa-users at redhat.com
>>> Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent
>>> to slaves
>>>
>>> I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.
>>>
>>> I also have another host running PowerDNS serving as a slave.
>>> The FreeIPA servers are setup to allow transfers to the slave by IP.
>>> When
>>> adding the zone, the slave transfered it properly.
>>>
>>> However, when I update the zone in FreeIPA, although the serial number
>>> changes, in the /var/log/messages I only see an attempt to transfer to
>>> the
>>> second IPA server, and not the slave. This is the only log entry :
>>>
>>> May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending
>>> notifies
>>> (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client
>>> 10.178.0.99#29832: received notify for zone 'mydomain.net'
>>>
>>> I have restarted all services using ipactl restart several times. I
>>> have also
>>> ensured that the slave hostname and IP are in FreeIPA DNS. I have also
>>> added
>>> an NS entry pointing to the slave.
>>>
>>> According to the FreeIPA manual, once that NS entry is added, any zone
>>> updates
>>> should trigger a notify, but still the only notifications go out to
>>> FreeIPA
>>> servers and nothing else.
>>>
>>> Any idea how to fix this so FreeIPA notifies non IPA servers? I'm
>>> pretty sure
>>> I've followed all the instructions to the letter on this one...
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>>
>> --
>> Petr^2 Spacek
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list