[Freeipa-users] DNS Dynamic Update Failing
Joshua Ruybal
jb.ruybal at gmail.com
Wed Feb 3 22:18:34 UTC 2016
Thanks for the reply. It makes a bit more sense now.
I'm running FreeIPA 3.0.0 on CentOS 6.7
I followed your advice and was able to use dynamic update once I removed
the zone forwarder. However I've set the global config to "forward only",
but I'm still getting local resolution when I use dig from a client server.
I'd expect to see the external records instead.
I'm not seeing much in documentation how to troubleshoot this.
Also I realize we're falling into the realm of a different subject and can
start a fresh email chain if needed.
Thanks again,
Josh
On Wed, Feb 3, 2016 at 12:45 AM Martin Basti <mbasti at redhat.com> wrote:
>
>
> On 03.02.2016 01:47, Joshua Ruybal wrote:
>
> Hi All,
>
> I've run into a frustrating issue regarding DNS Dynamic Updating.
>
> In a nutshell:
>
> If I enroll a new client when the forward policy on a dns zone is set to
> "disabled" I don't have a problem enrolling the client and updating the dns
> record.
>
> However if the policy of the zone is set to "only" or "first", nsupdate
> fails during the client install. Install logs says nsupdate: Specified Zone
> 'example.com' does not exist (NXDOMAIN).
>
> I'm seeing this in multiple zones, and all I need to change to fix it is
> to change the forwarding policy. However it's problematic as we start the
> rollout, since we will need to rely on external dns until we have all
> servers enrolled.
>
>
> Client Install Log Snippet:
>
> 2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt
> 2016-02-02T22:53:17Z DEBUG stdout=
> 2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does
> not exist (NXDOMAIN)
> specified zone 'dev.example.net' does not exist (NXDOMAIN)
>
> Zone Configuration:
>
> [admin at ipa01 ~]$ ipa dnszone-show --all
> Zone name: dev.example.net
> dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com
> Zone name: dev.example.net
> Authoritative nameserver: ipa01
> Administrator e-mail address: hostmaster.dev.example.net.
> SOA serial: 1454447236
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
> krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;
> Active zone: TRUE
> Dynamic update: TRUE
> Allow query: any;
> Allow transfer: none;
> Zone forwarders: 8.8.8.8
> Forward policy: only
> nsrecord: ipa01, ipa02
> objectclass: top, idnsrecord, idnszone
>
> Any ideas on how to remedy this? I'd like to avoid updating records by
> hand if it can be avoided.
>
> Thanks!
> Josh
>
>
> Hello,
>
> which version of freeIPA do you use?
>
> If version is older than 4.1, then specifying forward policy and
> forwarders cause that zone work as forwardzone thus, you cannot add host
> there, because all queries ale forwarded to specified forwarders (8.8.8.8)
> which does not know zone dev.example.com
>
> If version is 4.1+ then nsupdate should work and it can be bug. However
> I'm curious why do you need forwarding in master zone, what is the use case?
>
> More details about forwardzones in IPA:
> http://www.freeipa.org/page/V4/Forward_zones
>
> IMO you need specify global forwarder to your external DNS server, instead
> of adding per zone forwarders.
>
>
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/d59ec93f/attachment.htm>
More information about the Freeipa-users
mailing list