<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <br> <br> <div class="moz-cite-prefix">On 03.02.2016 01:47, Joshua Ruybal wrote:<br> </div> <blockquote cite="mid:CAAPJROb5aBYuOfKT8CTeKtiALroJfVajtGLH5QdhL5bZe_YX+g@mail.gmail.com" type="cite"> <div dir="ltr"> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"> <div>Hi All,</div> <div><br> </div> <div>I've run into a frustrating issue regarding DNS Dynamic Updating.</div> <div><br> </div> <div>In a nutshell: </div> <div><br> </div> <div>If I enroll a new client when the forward policy on a dns zone is set to "disabled" I don't have a problem enrolling the client and updating the dns record. </div> <div><br> </div> <div>However if the policy of the zone is set to "only" or "first", nsupdate fails during the client install. Install logs says nsupdate: Specified Zone '<a moz-do-not-send="true" href="http://example.com">example.com</a>' does not exist (NXDOMAIN).</div> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><br> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal">I'm seeing this in multiple zones, and all I need to change to fix it is to change the forwarding policy. However it's problematic as we start the rollout, since we will need to rely on external dns until we have all servers enrolled.</div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><br> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><br> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal">Client Install Log Snippet:</div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><br> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"> <div> 2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt</div> <div> 2016-02-02T22:53:17Z DEBUG stdout=</div> <div> 2016-02-02T22:53:17Z DEBUG stderr=specified zone '<a moz-do-not-send="true" href="http://dev.example.net">dev.example.net</a>' does not exist (NXDOMAIN)</div> <div> specified zone '<a moz-do-not-send="true" href="http://dev.example.net">dev.example.net</a>' does not exist (NXDOMAIN)</div> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><br> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal">Zone Configuration:</div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><br> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"> <div> [admin@ipa01 ~]$ ipa dnszone-show --all</div> <div> Zone name: <a moz-do-not-send="true" href="http://dev.example.net">dev.example.net</a></div> <div> dn: idnsname=<a moz-do-not-send="true" href="http://dev.example.net">dev.example.net</a>,cn=dns,dc=example,dc=com</div> <div> Zone name: <a moz-do-not-send="true" href="http://dev.example.net">dev.example.net</a></div> <div> Authoritative nameserver: ipa01</div> <div> Administrator e-mail address: <a moz-do-not-send="true" href="http://hostmaster.dev.example.net">hostmaster.dev.example.net</a>.</div> <div> SOA serial: 1454447236</div> <div> SOA refresh: 3600</div> <div> SOA retry: 900</div> <div> SOA expire: 1209600</div> <div> SOA minimum: 3600</div> <div> BIND update policy: grant <a moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a> krb5-self * A; grant <a moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a> krb5-self * AAAA; grant <a moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a> krb5-self * SSHFP;</div> <div> Active zone: TRUE</div> <div> Dynamic update: TRUE</div> <div> Allow query: any;</div> <div> Allow transfer: none;</div> <div> Zone forwarders: 8.8.8.8</div> <div> Forward policy: only</div> <div> nsrecord: ipa01, ipa02</div> <div> objectclass: top, idnsrecord, idnszone</div> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><br> </div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal">Any ideas on how to remedy this? I'd like to avoid updating records by hand if it can be avoided.</div> <div style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal"><br> </div> <span style="color:rgb(34,34,34);font-family:arial,sans-serif;line-height:normal">Thanks!</span><br> <div>Josh</div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> Hello,<br> <br> which version of freeIPA do you use?<br> <br> If version is older than 4.1, then specifying forward policy and forwarders cause that zone work as forwardzone thus, you cannot add host there, because all queries ale forwarded to specified forwarders (8.8.8.8) which does not know zone dev.example.com<br> <br> If version is 4.1+ then nsupdate should work and it can be bug. However I'm curious why do you need forwarding in master zone, what is the use case?<br> <br> More details about forwardzones in IPA: <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/Forward_zones">http://www.freeipa.org/page/V4/Forward_zones</a><br> <br> IMO you need specify global forwarder to your external DNS server, instead of adding per zone forwarders.<br> <br> Martin<br> </body> </html>