[Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Wed May 6 11:22:38 UTC 2015

Hello!

On 5.5.2015 00:24, nathan at nathanpeters.com wrote:
> bind.x86_64                        32:9.9.4-20.el7.centos.pkcs11
> @mkosek-freeipa
> bind-dyndb-ldap.x86_64             6.1-1.el7.centos             

This version works for me (tested on Fedora 21).

> And for reference here are the relevant A and NS records from my domain
> 
> @ NS dc1.mydomain.net.
> @ NS dc2.mydomain.net.
> @ NS dns1.mydomain.net.
> dns1 A 10.21.0.14

I would recommend you to double check if commands

$ dig @<IPA server> dc1.mydomain.net. A
$ dig @<IPA server> dc2.mydomain.net. A
$ dig @<IPA server> dns1.mydomain.net. A

actually return an IP addresses or not. Unfortunately BIND does not report an
error if it is unable to resolve the name and silently ignores the name when
notifications are sent.

For testing purposes I use these commands (on server):
$ tcpdump -i any 'port 53'
$ rndc notify mydomain.net.

Look for a line from tcpdump with note 'notify' in it. I can see the notify
packet as soon as BIND prints 'sending notifies' message to the journal.

I hope this helps.

Petr^2 Spacek

>> Hello!
>>
>> On 2.5.2015 17:12, Nathan Peters wrote:
>>> The last 3 sentences of my original post refer to me adding the NS
>>> records for
>>> the slave.  Is that what you mean?
>>>
>>> "I have also ensured that the slave hostname and IP are in FreeIPA DNS.
>>> I
>>> have also added an NS entry pointing to the slave."
>>
>> Which version of FreeIPA and bind-dyndb-ldap are you using?
>>
>> I will look into it.
>>
>> Petr^2 Spacek
>>
>>
>>> -----Original Message----- From: Baird, Josh
>>> Sent: Saturday, May 02, 2015 7:33 AM
>>> To: 'nathan at nathanpeters.com' ; freeipa-users at redhat.com
>>> Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being
>>> sent to
>>> slaves
>>>
>>> Is the PowerDNS slave in the NS RRSet for the IPA domain?
>>> Unfortuantely,
>>> bind-dyndb-ldap does not support 'also-notify' which would allow us to
>>> send
>>> notifies each time a zone update occurs to slave servers that are not in
>>> the
>>> RRSet [1].  To compensate for this in my environment, I had to lower the
>>> 'refresh' timer on the IPA zone.
>>>
>>> [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152
>>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of
>>> nathan at nathanpeters.com
>>> Sent: Friday, May 1, 2015 8:20 PM
>>> To: freeipa-users at redhat.com
>>> Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent
>>> to slaves
>>>
>>> I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.
>>>
>>> I also have another host running PowerDNS serving as a slave.
>>> The FreeIPA servers are setup to allow transfers to the slave by IP.
>>> When
>>> adding the zone, the slave transfered it properly.
>>>
>>> However, when I update the zone in FreeIPA, although the serial number
>>> changes, in the /var/log/messages I only see an attempt to transfer to
>>> the
>>> second IPA server, and not the slave.  This is the only log entry :
>>>
>>> May  2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending
>>> notifies
>>> (serial 1430528817) May  2 01:06:57 dc1 named-pkcs11[5897]: client
>>> 10.178.0.99#29832: received notify for zone 'mydomain.net'
>>>
>>> I have restarted all services using ipactl restart several times.  I
>>> have also
>>> ensured that the slave hostname and IP are in FreeIPA DNS.  I have also
>>> added
>>> an NS entry pointing to the slave.
>>>
>>> According to the FreeIPA manual, once that NS entry is added, any zone
>>> updates
>>> should trigger a notify, but still the only notifications go out to
>>> FreeIPA
>>> servers and nothing else.
>>>
>>> Any idea how to fix this so FreeIPA notifies non IPA servers?  I'm
>>> pretty sure
>>> I've followed all the instructions to the letter on this one...