[Freeipa-users] dynamic dns working for forward zone but not reverse zone
Brian J. Murrell
brian at interlinx.bc.ca
Fri May 27 13:27:00 UTC 2016
I have a FreeIPA 4.2.0 on CentOS 7.2. I have dynamic DNS updates
working for a forward zone but they are failing (NOTAUTH) for a reverse
zone. Here are configuration of the two zones:
dn: idnsname=example.com.,cn=dns,dc=example,dc=com
Zone name: example.com.
Active zone: TRUE
Authoritative nameserver: server.example.com.
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1464354354
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; grant linux_home_nsupdate wildcard * ANY;
Dynamic update: TRUE
Allow query: any;
Allow transfer: 10.75.22.1;
mxrecord: 200 linux
nsrecord: server.example.com.
objectclass: idnszone, top, idnsrecord
txtrecord: "v=spf1 a:server.klug.on.ca"
dn: idnsname=0.8.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Zone name: 0.8.10.in-addr.arpa.
Active zone: TRUE
Authoritative nameserver: server.example.com.
Administrator e-mail address: hostmaster
SOA serial: 1464354356
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.8.10.in-addr.arpa. PTR; grant linux_home_nsupdate wildcard * ANY;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
nsrecord: server.example.com.
objectclass: idnszone, top, idnsrecord
Here are example updates to the two zones:
# nsupdate -y linux_home_nsupdate:<key> -d /tmp/fwdupdate
Creating key...
namefromtext
keycreate
Sending update to 10.75.22.247#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;example.com. IN SOA
;; UPDATE SECTION:
chost.example.com. 0 ANY A
chost.example.com. 60 IN A 10.8.0.2
;; TSIG PSEUDOSECTION:
linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355147 300 16 oRoIWfkmmmCKQWj9NrrRDw== 53154 NOERROR 0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com. IN SOA
;; TSIG PSEUDOSECTION:
linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355225 300 16 3IVCZr+MjyD75sHr53LEHw== 53154 NOERROR 0
# nsupdate -y linux_home_nsupdate:<key> -d /tmp/revupdate
Creating key...
namefromtext
keycreate
Sending update to 10.75.22.247#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 26720
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;0.10.8.in-addr.arpa. IN SOA
;; UPDATE SECTION:
2.0.10.8.in-addr.arpa. 0 ANY PTR
2.0.10.8.in-addr.arpa. 60 IN PTR chost.example.com.
;; TSIG PSEUDOSECTION:
linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355166 300 16 ooWRdNhQ1170LkSjIiCqSA== 26720 NOERROR 0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 26720
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;0.10.8.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355244 300 16 N5Dg0rMokW9sNGGO9BwGNQ== 26720 NOERROR 0
When the first update is done the following is logged by named-pkcs11:
client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': deleting rrset at 'chost.example.com' A
client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': adding an RR at 'chost.example.com' A
Nothing is logged for the second update attempt.
Any ideas why one is working and the other is not?
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160527/e0e60961/attachment.sig>
More information about the Freeipa-users
mailing list