[Freeipa-users] DNS reverse zone is not managed by this server

Maciej Drobniuch md at collective-sense.com
Tue Dec 27 11:07:55 UTC 2016 

Hi Martin!

Thank you for your time!

On Thu, Dec 22, 2016 at 1:41 PM, Martin Basti <mbasti at redhat.com> wrote:

>
>
> On 22.12.2016 10:57, Maciej Drobniuch wrote:
>
> Hi Martin
>
> Appreciate your help!
>
> On Thu, Dec 22, 2016 at 10:48 AM, Martin Basti <mbasti at redhat.com> wrote:
>
>>
>>
>> On 22.12.2016 09:37, Maciej Drobniuch wrote:
>>
>> Hi Martin
>>
>> Thank you for reply.
>>
>> 1. The dig is returning proper PTR record. I've added it manually to the
>> zone and it's working.
>>
>>
>> I was asking for SOA and zone name, IMO there is nothing secret about
>> reverse zone name from private address space
>>
>> what returns this command on server?
>> python -c 'import netaddr; from dns import resolver; ip =
>> netaddr.IPAddress("10.0.0.165"); revn = ip.reverse_dns; print revn;
>> print resolver.zone_for_name(revn)'
>>
>>
>> # python -c 'import netaddr; from dns import resolver; ip =
> netaddr.IPAddress("10.0.0.165"); revn = ip.reverse_dns; print revn; print
> resolver.zone_for_name(revn)'
> 165.0.0.10.in-addr.arpa.
> in-addr.arpa.
>
>
> It looks that python-dns failed to find proper zone, what is supposed to
> be authoritative zone for that record in your system?
> How do your reverse zones look?
>
I have the reverse zone added.
0.0.10.in-addr.arpa.

Do you know maybe how python/ipa is determining what's the dns server for
the internal zone?
As far I understood this is not a "access rights issue". It's a DNS PTR
resolution problem with python(ipa's using python) ?


>
>
>
> 2. The problem exists while adding host entries or A records with "create
>> reverse" option.
>>
>> That's why I asked to run dig, the code uses DNS system to determine zone.
>>
>> 3. If I'll bind a host with ipa-client-install the PTR record gets
>> created in the reverse zone and it works
>>
>> Ok
>>
> Manually creating the PTR record works fine as well.
>
>>
>>
>> 4. The resolv.conf file has only the IPA server IP addres/localhost added.
>>
>>
>> Have you changed it recently?
>>
> Yes, it pointed to outside 8.8.8.8, so the OS did not see the local
> reverse zone.
> Now it's pointing to localhost. And I get dig the PTRs. (I've manually
> created the ptr)
>
> # dig -x 10.0.0.165
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3 <<>> -x 10.0.0.165
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35592
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
>
> ;; OPT PSEUDOSECTION:
> ; E: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;165.0.0.10.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 165.0.0.10.in-addr.arpa. 1200 IN PTR prdfrmprb01.cs.int.
>
> ;; AUTHORITY SECTION:
> 1.0.10.in-addr.arpa. 86400 IN NS freeipa1.cs.int.
>
>
> This authority section looks suspicious, I would expect something like
> 0.0.10.in-addr.arpa.
>
> Back to question about your reverse zones.
>
I've intentionally hid our internal ip space, sorry, good catch my finger
has slipped :).

>
>
> ;; ADDITIONAL SECTION:
> freeipa1.cs.int. 1200 IN A 10.0.0.200
>
> ;; Query time: 3 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: czw gru 22 04:51:23 EST 2016
> ;; MSG SIZE  rcvd: 124
>
>>
>>
>> Martin
>>
>>
>>
>> Cheers!
>> M.
>>
>> On Wed, Dec 21, 2016 at 5:43 PM, Martin Basti <mbasti at redhat.com> wrote:
>>
>>> Hello all :)
>>>
>>> On 20.12.2016 01:33, Maciej Drobniuch wrote:
>>>
>>> Hi All!
>>>
>>> I get the following message while adding a new hostname.
>>>
>>> "The host was added but the DNS update failed with: DNS reverse zone
>>> in-addr.arpa. for IP address 10.0.0.165 is not managed by this server"
>>>
>>>
>>> IPA failed to get correct reverse zone, can you try dig -x 10.0.0.165
>>> what will be in SOA answer?
>>>
>>> What is the name of reverse zone you have on IPA DNS server?
>>>
>>>
>>> Martin
>>>
>>>
>>> The reverse zone is configured and working.
>>> When I am manually adding the PTR record to the reverse zone - all OK
>>>
>>> While adding a new host,  the A record is being created but the PTR
>>> fails with the message above.
>>>
>>> Reinstalling centos+IPA worked once but I had to reinstall again because
>>> of problems with kerberos(probably dependencies).
>>>
>>> Not sure what is the root cause of the issue.
>>>
>>> VERSION: 4.4.0, API_VERSION: 2.213
>>>
>>> CENTOS7 Linux freeipa1 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42
>>> UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> Any help appreciated!
>>> --
>>> Best regards
>>>
>>> Maciej Drobniuch
>>> Network Security Engineer
>>> Collective-sense LLC
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Best regards
>>
>> Maciej Drobniuch
>> Network Security Engineer
>> Collective-sense LLC
>>
>>
>>
>
>
> --
> Best regards
>
> Maciej Drobniuch
> Network Security Engineer
> 2410 Camino Ramon, Suite 129
> San Ramon, CA 94583
>
>
>
Happy new year!

-- 
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161227/e7f427dc/attachment.htm>

More information about the Freeipa-users mailing list