[Freeipa-users] DNS Dynamic Update Failing

Wed Feb 3 08:45:02 UTC 2016

On 03.02.2016 01:47, Joshua Ruybal wrote:
> Hi All,
>
> I've run into a frustrating issue regarding DNS Dynamic Updating.
>
> In a nutshell:
>
> If I enroll a new client when the forward policy on a dns zone is set 
> to "disabled" I don't have a problem enrolling the client and updating 
> the dns record.
>
> However if the policy of the zone is set to "only" or "first", 
> nsupdate fails during the client install. Install logs says nsupdate: 
> Specified Zone 'example.com <http://example.com>' does not exist 
> (NXDOMAIN).
>
> I'm seeing this in multiple zones, and all I need to change to fix it 
> is to change the forwarding policy. However it's problematic as we 
> start the rollout, since we will need to rely on external dns until we 
> have all servers enrolled.
>
>
> Client Install Log Snippet:
>
>   2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g 
> /etc/ipa/.dns_update.txt
>   2016-02-02T22:53:17Z DEBUG stdout=
>   2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net 
> <http://dev.example.net>' does not exist (NXDOMAIN)
>   specified zone 'dev.example.net <http://dev.example.net>' does not 
> exist (NXDOMAIN)
>
> Zone Configuration:
>
>   [admin at ipa01 ~]$ ipa dnszone-show --all
>   Zone name: dev.example.net <http://dev.example.net>
>   dn: idnsname=dev.example.net 
> <http://dev.example.net>,cn=dns,dc=example,dc=com
>     Zone name: dev.example.net <http://dev.example.net>
>     Authoritative nameserver: ipa01
>     Administrator e-mail address: hostmaster.dev.example.net 
> <http://hostmaster.dev.example.net>.
>     SOA serial: 1454447236
>     SOA refresh: 3600
>     SOA retry: 900
>     SOA expire: 1209600
>     SOA minimum: 3600
>     BIND update policy: grant EXAMPLE.COM <http://EXAMPLE.COM> 
> krb5-self * A; grant EXAMPLE.COM <http://EXAMPLE.COM> krb5-self * 
> AAAA; grant EXAMPLE.COM <http://EXAMPLE.COM> krb5-self * SSHFP;
>     Active zone: TRUE
>     Dynamic update: TRUE
>     Allow query: any;
>     Allow transfer: none;
>     Zone forwarders: 8.8.8.8
>     Forward policy: only
>     nsrecord: ipa01, ipa02
>     objectclass: top, idnsrecord, idnszone
>
> Any ideas on how to remedy this? I'd like to avoid updating records by 
> hand if it can be avoided.
>
> Thanks!
> Josh
>
>
Hello,

which version of freeIPA do you use?

If version is older than 4.1, then specifying forward policy and 
forwarders cause that zone work as forwardzone thus, you cannot add host 
there, because all queries ale forwarded to specified forwarders 
(8.8.8.8) which does not know zone dev.example.com

If version is 4.1+ then nsupdate should work and it can be bug. However 
I'm curious why do you need forwarding in master zone, what is the use case?

More details about forwardzones in IPA: 
http://www.freeipa.org/page/V4/Forward_zones

IMO you need specify global forwarder to your external DNS server, 
instead of adding per zone forwarders.

Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/98308b23/attachment.htm>