[Freeipa-users] DNS Dynamic Update Failing

Joshua Ruybal jb.ruybal at gmail.com
Wed Feb 3 00:47:02 UTC 2016 

Hi All,

I've run into a frustrating issue regarding DNS Dynamic Updating.

In a nutshell:

If I enroll a new client when the forward policy on a dns zone is set to
"disabled" I don't have a problem enrolling the client and updating the dns
record.

However if the policy of the zone is set to "only" or "first", nsupdate
fails during the client install. Install logs says nsupdate: Specified Zone
'example.com' does not exist (NXDOMAIN).

I'm seeing this in multiple zones, and all I need to change to fix it is to
change the forwarding policy. However it's problematic as we start the
rollout, since we will need to rely on external dns until we have all
servers enrolled.


Client Install Log Snippet:

  2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt
  2016-02-02T22:53:17Z DEBUG stdout=
  2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does
not exist (NXDOMAIN)
  specified zone 'dev.example.net' does not exist (NXDOMAIN)

Zone Configuration:

  [admin at ipa01 ~]$ ipa dnszone-show --all
  Zone name: dev.example.net
  dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com
    Zone name: dev.example.net
    Authoritative nameserver: ipa01
    Administrator e-mail address: hostmaster.dev.example.net.
    SOA serial: 1454447236
    SOA refresh: 3600
    SOA retry: 900
    SOA expire: 1209600
    SOA minimum: 3600
    BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;
    Active zone: TRUE
    Dynamic update: TRUE
    Allow query: any;
    Allow transfer: none;
    Zone forwarders: 8.8.8.8
    Forward policy: only
    nsrecord: ipa01, ipa02
    objectclass: top, idnsrecord, idnszone

Any ideas on how to remedy this? I'd like to avoid updating records by hand
if it can be avoided.

Thanks!
Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/610ad62d/attachment.htm>

More information about the Freeipa-users mailing list