[Freeipa-users] dynamic dns working for forward zone but not reverse zone
Petr Spacek
pspacek at redhat.com
Mon May 30 11:43:07 UTC 2016
On 27.5.2016 15:27, Brian J. Murrell wrote:
> I have a FreeIPA 4.2.0 on CentOS 7.2. I have dynamic DNS updates
> working for a forward zone but they are failing (NOTAUTH) for a reverse
> zone. Here are configuration of the two zones:
>
> dn: idnsname=example.com.,cn=dns,dc=example,dc=com
> Zone name: example.com.
> Active zone: TRUE
> Authoritative nameserver: server.example.com.
> Administrator e-mail address: hostmaster.example.com.
> SOA serial: 1464354354
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; grant linux_home_nsupdate wildcard * ANY;
> Dynamic update: TRUE
> Allow query: any;
> Allow transfer: 10.75.22.1;
> mxrecord: 200 linux
> nsrecord: server.example.com.
> objectclass: idnszone, top, idnsrecord
> txtrecord: "v=spf1 a:server.klug.on.ca"
>
>
> dn: idnsname=0.8.10.in-addr.arpa.,cn=dns,dc=example,dc=com
> Zone name: 0.8.10.in-addr.arpa.
> Active zone: TRUE
> Authoritative nameserver: server.example.com.
> Administrator e-mail address: hostmaster
> SOA serial: 1464354356
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.8.10.in-addr.arpa. PTR; grant linux_home_nsupdate wildcard * ANY;
> Dynamic update: TRUE
> Allow query: any;
> Allow transfer: none;
> nsrecord: server.example.com.
> objectclass: idnszone, top, idnsrecord
>
> Here are example updates to the two zones:
>
> # nsupdate -y linux_home_nsupdate:<key> -d /tmp/fwdupdate
> Creating key...
> namefromtext
> keycreate
> Sending update to 10.75.22.247#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;example.com. IN SOA
>
> ;; UPDATE SECTION:
> chost.example.com. 0 ANY A
> chost.example.com. 60 IN A 10.8.0.2
>
> ;; TSIG PSEUDOSECTION:
> linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355147 300 16 oRoIWfkmmmCKQWj9NrrRDw== 53154 NOERROR 0
>
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;example.com. IN SOA
>
> ;; TSIG PSEUDOSECTION:
> linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355225 300 16 3IVCZr+MjyD75sHr53LEHw== 53154 NOERROR 0
>
>
> # nsupdate -y linux_home_nsupdate:<key> -d /tmp/revupdate
> Creating key...
> namefromtext
> keycreate
> Sending update to 10.75.22.247#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 26720
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;0.10.8.in-addr.arpa. IN SOA
>
> ;; UPDATE SECTION:
> 2.0.10.8.in-addr.arpa. 0 ANY PTR
> 2.0.10.8.in-addr.arpa. 60 IN PTR chost.example.com.
>
> ;; TSIG PSEUDOSECTION:
> linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355166 300 16 ooWRdNhQ1170LkSjIiCqSA== 26720 NOERROR 0
>
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 26720
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;0.10.8.in-addr.arpa. IN SOA
>
> ;; TSIG PSEUDOSECTION:
> linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355244 300 16 N5Dg0rMokW9sNGGO9BwGNQ== 26720 NOERROR 0
>
> When the first update is done the following is logged by named-pkcs11:
>
> client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': deleting rrset at 'chost.example.com' A
> client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': adding an RR at 'chost.example.com' A
>
> Nothing is logged for the second update attempt.
>
> Any ideas why one is working and the other is not?
This is really weird.
Can you query the SOA record from the reverse zone, please?
$ dig @10.75.22.247 0.10.8.in-addr.arpa. SOA
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list