[Freeipa-users] steps to debug SOA serial being out of sync?

Anthony Clark anthonyclarka2 at gmail.com
Mon Jul 11 13:40:50 UTC 2016 

Thanks for the answer,

I just wanted to confirm:  Various "DNS health checks" complain about SOA
serials not being the same.  Are those safe to ignore?

I have 2 FreeIPA servers for basic redundancy.  Should I not be pointing my
hosts at both FreeIPA hosts for DNS?

Thanks,

Anthony

On Mon, Jul 11, 2016 at 3:33 AM, Petr Spacek <pspacek at redhat.com> wrote:

> On 8.7.2016 19:13, Anthony Clark wrote:
> > Hello All,
> >
> > I have two FreeIPA servers set up as follows:
> >
> > ns01:  ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir
> --setup-dns
> > --ssh-trust-dns --forwarder=1.2.3.4
> >
> > ns02:  ipa-replica-install
> > /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca
> --mkhomedir
> > --ssh-trust-dns --setup-dns --forwarder=1.2.3.4
> >
> >
> > Now, after being in use for a few months, my SOA serial numbers are
> > different as reported by the two servers:
> >
> > ns01 reports 1467996578
> > ns02 reports 1467996455
> >
> > [root at ns02 ~]# ipa dnszone-show dev.redacted.net
> > ...
> >   SOA serial: 1467996455
> > ...
> >
> > Same result on ns01, 1467996455
> >
> > ipa-replica-conncheck is fine.
> >
> > After an "ipactl restart" on ns02 (thinking that I needed to refresh the
> > ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond*
> > that of ns01:
> >
> > ns01: 1467996578
> > ns02:  1467997519
> >
> > Another "ipactl restart" on ns02 results in:
> >
> > ns01:  1467996578
> > ns02:  1467997595
> >
> > running "ipactl restart" on ns01 results in:
> >
> > ns01:  1467997873
> > ns02:  1467997595
> >
> > ns02 doesn't seem to be getting its serial number from ns01 at all.
> >
> > Did I set up ns02 incorrectly?  Should I have skipped the "--setup-dns"
> on
> > the replica?
> >
> > Does anyone have any suggestions on how to debug this further?
>
> Hello,
>
> this is in fact expected. IPA has multi-master DNS so serials are not
> synced.
>
> This is documented in
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#zone-transfers
>
> I hope it helps.
>
> --
> Petr^2 Spacek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160711/f0254598/attachment.htm>

More information about the Freeipa-users mailing list