Re: [Freeipa-users] DNS zone transfers

Tue, 21 Jun 2011 05:16:20 -0700 

On Tue, 2011-06-21 at 12:12 +0200, Adam Tkac wrote:
> On 06/16/2011 09:38 PM, Loris Santamaria wrote:
> > El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió:
> >> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote:
> >>> Hi,
> >>>
> >>> I would like to use my freeIPA v2 server as my master name server and
> >>> have other normal (non ldap based) bind servers as caching / secondary
> >>> name servers. Ideally the clients would query only the secondary servers
> >>> and the secondary name servers would perform regular zone transfers from
> >>> the master server.
> >>>
> >>> So I'm trying to setup zone transfer in my IPA based name server. First
> >>> of all I see that the attribute "idnsAllowTransfer" referenced in the
> >>> bind-dyndb-ldap documentation is not really supported in the schema
> >>> installed in IPA. Next, using a global "allow-transfer" in named.conf
> >>> doesn't work also.
> >> A global allow-transfer should work, have you restarted named after
> >> setting it ?
> >>
> >> If it doesn't work we may have a bug.
> > I'm adding to named.conf options section:
> >
> > allow-transfer { 127.0.0.1; };
> >
> > then I restart named and try a zone transfer on the same host:
> >
> > # host -l ipa.corpfbk. 127.0.0.1
> > ; Transfer failed.
> > Using domain server:
> > Name: 127.0.0.1
> > Address: 127.0.0.1#53
> > Aliases: 
> >
> > Host ipa.corpfbk not found: 9(NOTAUTH)
> > ; Transfer failed.
> >
> > In the logs I get:
> >
> > Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone 
> > transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH)
> >
> Hello Loris,
> 
> the bind-dyndb-ldap plugin currently doesn't support zone transfers but
> you should receive SERVFAIL error in this case, not NOTAUTH.
> 
> Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk
> zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here?

Adam,
Thanks for the reply.

Loris, sorry for the confusion, I mistakenly thought we already
implemented this feature. The implementation is not particularly
difficult, and we plan to have support for zone transfers in one of the
next 2.x releases, as soon as UI changes can be made and tested.

Follow future release announcements, we will have this feature listed
when it is ready.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to