On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote:
On 28/10/2019 12:16, Alexander Bokovoy wrote:
On ma, 28 loka 2019, lejeczek via FreeIPA-users wrote:
On 23/10/2019 12:28, lejeczek via FreeIPA-users wrote:
hi everybody
when I install a replica and have DNS use cname records to a classless
zone I see:
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
[error] ValidationError: invalid 'cnamerecord': CNAME record is not
allowed to coexist with any other record (RFC 1034, section 3.6.2
..
This happens if the replica has existing ptr record at the time of
installation.
If I remove ptr record for the replica from the parent reverse zone
(all managed by the same IPA) then installation proceeds but should
masters' records in reverse zone be in resolved with/via cnames in
classless subnet? (which howto says it should -
https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation)
Or should IPA be not hosting the parent zone if itself is in a
classless IP subnet?
It's bit confusing to me I confess.
many thanks, L.
_______________________________________________
Not even IPA's own devel would comment?
Is what I wrote above somewhat unclear? Should I try to rephrase it
better?
Yes, please provide more details, like examples of your DNS zone and
records. The error message points you to RFC and concrete section about
the problem already.
my IPA is locate in a classless subnet 10.5.5.128/25.
If I setup IPA with --reverse-zone=128/25.10.5.5.in-addr.arpa then
installer creates two rev zones:
128/25.10.5.5.in-addr.arpa & 10.5.5.in-addr.arpa
Now, if prior to subsequent masters installation I create PTR records
and I follow:
https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation
(which will make 10.5.5.in-addr.arpa use cnames) then when I install a
replica which already has PTR records I get:
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
[error] ValidationError: invalid 'cnamerecord': CNAME record is not
allowed to coexist with any other record (RFC 1034, section 3.6.2
..
What confuses me when I think about it - if I remove ptr(or rather
cname) record from the parent reverse zone (10.5.5.in-addr.arpa) then
installation proceeds of that subsequent masters proceeds okey and then
I think...
Should that mean that IPA should/can not be setup on/as classless subnet
the way that howto instructs?
Yes, this howto predates FreeIPA 3.2. The change was done in the
following commit that removed support for this:
commit 42c401a87795fe3a2067155460ae276ad2d3e360
Author: Martin Kosek <mko...@redhat.com>
Date: Tue Apr 2 11:58:31 2013 +0200
Improve CNAME record validation
Refactor DNS RR conflict validator so that it is better extensible in
the future. Also check that there is only one CNAME defined for
a DNS record.
PTR+CNAME record combination is no longer allowed as we found out it
does not make sense to have this combination.
https://fedorahosted.org/freeipa/ticket/3450
I can change records in partent zone(to which IPA installers inserted
PTR records) to use cname and forward to 128/25.10.5.5.in-addr.arpa
later, and IPA seems to work okey, but... I was hoping for
no-doubts-clarification case that all makes me bit uncertain.
May be you could provide modification to the howto?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
