On 06/21/2011 03:51 PM, Loris Santamaria wrote:
> El mar, 21-06-2011 a las 12:12 +0200, Adam Tkac escribió:
>> On 06/16/2011 09:38 PM, Loris Santamaria wrote:
>>> El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió:
>>>> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote:
>>>>> Hi,
>>>>>
>>>>> I would like to use my freeIPA v2 server as my master name server and
>>>>> have other normal (non ldap based) bind servers as caching / secondary
>>>>> name servers. Ideally the clients would query only the secondary servers
>>>>> and the secondary name servers would perform regular zone transfers from
>>>>> the master server.
>>>>>
>>>>> So I'm trying to setup zone transfer in my IPA based name server. First
>>>>> of all I see that the attribute "idnsAllowTransfer" referenced in the
>>>>> bind-dyndb-ldap documentation is not really supported in the schema
>>>>> installed in IPA. Next, using a global "allow-transfer" in named.conf
>>>>> doesn't work also.
>>>> A global allow-transfer should work, have you restarted named after
>>>> setting it ?
>>>>
>>>> If it doesn't work we may have a bug.
>>> I'm adding to named.conf options section:
>>>
>>> allow-transfer { 127.0.0.1; };
>>>
>>> then I restart named and try a zone transfer on the same host:
>>>
>>> # host -l ipa.corpfbk. 127.0.0.1
>>> ; Transfer failed.
>>> Using domain server:
>>> Name: 127.0.0.1
>>> Address: 127.0.0.1#53
>>> Aliases: 
>>>
>>> Host ipa.corpfbk not found: 9(NOTAUTH)
>>> ; Transfer failed.
>>>
>>> In the logs I get:
>>>
>>> Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone 
>>> transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH)
>>>
>> Hello Loris,
>>
>> the bind-dyndb-ldap plugin currently doesn't support zone transfers but
>> you should receive SERVFAIL error in this case, not NOTAUTH.
>>
>> Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk
>> zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here?
> The zone's SOA seems right to me:
>
> [root@ipa01 ~]# dig @127.0.0.1 ipa.corpfbk SOA
>
> ; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @127.0.0.1 ipa.corpfbk SOA
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43430
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;ipa.corpfbk.                 IN      SOA
>
> ;; ANSWER SECTION:
> ipa.corpfbk.          86400   IN      SOA     ipa01.central.corpfbk. 
> soporte.tiendaskioto.com. 2011020601 3600 900 1209600 3600
>
> ;; AUTHORITY SECTION:
> ipa.corpfbk.          86400   IN      NS      ipa01.central.corpfbk.
>
> ;; ADDITIONAL SECTION:
> ipa01.central.corpfbk.        86400   IN      A       192.168.3.6
>
> ;; Query time: 3 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jun 21 09:15:43 2011
> ;; MSG SIZE  rcvd: 133
That's weird if server still returns NOTAUTH. Are you sure you perform
zone transfer from 192.168.3.6? (i.e. you execute host utility on
machine with IP 192.168.3.6).

Regards, Adam

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to