[Freeipa-users] dynamic dns working for forward zone but not reverse zone

Fri May 27 13:27:00 UTC 2016

I have a FreeIPA 4.2.0 on CentOS 7.2.  I have dynamic DNS updates
working for a forward zone but they are failing (NOTAUTH) for a reverse
zone.  Here are configuration of the two zones:

  dn: idnsname=example.com.,cn=dns,dc=example,dc=com
  Zone name: example.com.
  Active zone: TRUE
  Authoritative nameserver: server.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1464354354
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; grant linux_home_nsupdate wildcard * ANY;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: 10.75.22.1;
  mxrecord: 200 linux
  nsrecord: server.example.com.
  objectclass: idnszone, top, idnsrecord
  txtrecord: "v=spf1 a:server.klug.on.ca"

  dn: idnsname=0.8.10.in-addr.arpa.,cn=dns,dc=example,dc=com
  Zone name: 0.8.10.in-addr.arpa.
  Active zone: TRUE
  Authoritative nameserver: server.example.com.
  Administrator e-mail address: hostmaster
  SOA serial: 1464354356
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.8.10.in-addr.arpa. PTR; grant linux_home_nsupdate wildcard * ANY;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
  nsrecord: server.example.com.
  objectclass: idnszone, top, idnsrecord

Here are example updates to the two zones:

# nsupdate -y linux_home_nsupdate:<key> -d /tmp/fwdupdate 
Creating key...
namefromtext
keycreate
Sending update to 10.75.22.247#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  53154
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.		IN	SOA

;; UPDATE SECTION:
chost.example.com. 0	ANY	A	
chost.example.com. 60	IN	A	10.8.0.2

;; TSIG PSEUDOSECTION:
linux_home_nsupdate.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1464355147 300 16 oRoIWfkmmmCKQWj9NrrRDw== 53154 NOERROR 0 

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  53154
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.		IN	SOA

;; TSIG PSEUDOSECTION:
linux_home_nsupdate.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1464355225 300 16 3IVCZr+MjyD75sHr53LEHw== 53154 NOERROR 0 

# nsupdate -y linux_home_nsupdate:<key> -d /tmp/revupdate 
Creating key...
namefromtext
keycreate
Sending update to 10.75.22.247#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  26720
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;0.10.8.in-addr.arpa.		IN	SOA

;; UPDATE SECTION:
2.0.10.8.in-addr.arpa.	0	ANY	PTR	
2.0.10.8.in-addr.arpa.	60	IN	PTR	chost.example.com.

;; TSIG PSEUDOSECTION:
linux_home_nsupdate.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1464355166 300 16 ooWRdNhQ1170LkSjIiCqSA== 26720 NOERROR 0 

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  26720
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;0.10.8.in-addr.arpa.		IN	SOA

;; TSIG PSEUDOSECTION:
linux_home_nsupdate.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1464355244 300 16 N5Dg0rMokW9sNGGO9BwGNQ== 26720 NOERROR 0 

When the first update is done the following is logged by named-pkcs11:

client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': deleting rrset at 'chost.example.com' A
client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': adding an RR at 'chost.example.com' A

Nothing is logged for the second update attempt.

Any ideas why one is working and the other is not?

Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160527/e0e60961/attachment.sig>