Hi, the high level view is the following: when there is an update related to DNS data on an IPA server (new/updated/deleted zone, new/updated/deleted record), it gets written to LDAP. As the LDAP data is replicated to the other IPA servers, their local LDAP database gets updated. The bind daemon running on the replica is configured with bind-dyndb-ldap <https://docs.pagure.org/bind-dyndb-ldap/> plugin, that uses the syncrepl mechanism to be warned of updates in the LDAP database. So each time there is a change in the DNS data in the LDAP server, the bind daemon is notified and can handle the change locally and update its view.
If the LDAP data is properly replicated but the bind daemon does not serve the expected records, it probably means that the syncrepl mechanism is broken. If you have a look at the journal you may see logs with "sync_repl" or "syncrepl" keywords and they will help diagnose the problem. The bind daemon logs are located in /var/named/data/ and may also help. flo On Mon, Jun 21, 2021 at 2:17 PM Kees Bakker via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hey, > > Recently I discovered that the nameservers of two out the three IPA > masters (replicas) are > not responding with up-to-date information. > > Our setup has three masters. Each is configured as nameserver. Most of > the time I use > one as the main master when I modify DNS entries. We also have a DHCP > server that > sends updates to that "main" master. > > What I now discovered is that updates are not available when clients use > the two > other masters. > > On all three masters the DNS record is present when I use local > ldapsearch [1]. But with dig > the record is only present on one master. > > If I restart the nameserver it then has all records available. > > What would be the best method to find out what is wrong? > > BTW. There are two things that changed recently. I mention this in case > it rings a bell. > 1. one master was re-installed with CentOS 8 Stream. An other CentOS8 > master was added > a few weeks ago. > 2. our nameservers don't have connection to the Internet any more. So, > root servers cannot > be found. > > [1] by local ldapsearch I mean doing a command like this: > ldapsearch -H ldapi://%2fvar%2frun%2f... > -- > Kees > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
