[Freeipa-users] bind-dyndb-ldap, AXFR and DS records

Tomas Krizek tkrizek at redhat.com
Thu Feb 9 09:26:21 UTC 2017 

On 02/08/2017 11:59 PM, Ben Roberts wrote:
> Hi all,
>
> This is a question more about bind-dyndb-ldap rather than freeipa, but
> I understand it's written/maintained by the freeipa project and so
> this might be the most appropriate place to ask. I have setup
> bind-dyndb-ldap to read some zones from openldap, with multiple
> nameservers acting as masters and one nameserver running as a slave
> via the usual notify/transfer mechanism. I'm not seeing any DS records
> transfer across to the slave nameserver, nor when I manually query the
> primaries with an AFXR request. This includes both the apex DS
> records, automatically generated by bind-dyndb-ldap, but more
> importantly the glue dSRecord objects for a delegated subdomain.
>
> I note that the dSRecord entries are present in
> /var/named/dyndb-ldap/$view/master/$zone/raw but not present in
> /var/named/dyndb-ldap/$view/master/$zone/signed.
>
> Example (domain name and ip addresses obfuscated, but all other fields
> are unmodified):
> $ dig +noall +answer DS subdomain.example.local @127.0.01
> subdomain.example.local.   600     IN      DS      38589 7 1
> 6C410EF5A47631FBA2C3BC295A90363EA86A1846
> subdomain.example.local.   600     IN      DS      38589 7 2
> 23E22A49BBF2AD0E3F4668CB4C0DB52EE60ACA4308C1DE002A47AD7B 99734334
>
> $ dig +noall +answer AXFR subdomain.example.local @127.0.0.1
> <http://127.0.0.1>| head -n 1
> subdomain.example.local.   600     IN      SOA     ns1.example.local.
> hostmaster.example.local. 2016050416 43200 3600 1209600 3600
>
> $ dig +noall +answer AXFR subdomain.example.local @127.0.0.1
> <http://127.0.0.1>| grep '\bDS\b'
> $
>
> This behaviour doesn't seem right to me. I would expect the DS records
> to be transferred to the slaves as normal so that any glue records are
> correctly present on all nameservers. I can't see any references in
> the bind-dyndb-ldap wiki/readme or code comments that would explain DS
> records being treated specially, but please do correct me if I'm wrong.
>
> Regards,
> Ben Roberts
>
>
Hi,

when I add a DS record to LDAP (without any DNSSEC configuration), it is
included in my AXFR transfer. I'm using bind-dyndb-ldap-10.1.

I suppose you have DNSSEC configured. Could you be affected by the
limitations mentioned in [1]?

[1] -
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates#Limitationsmissingfeatures

-- 
Tomas Krizek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170209/23cc9748/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170209/23cc9748/attachment.sig>

More information about the Freeipa-users mailing list