On 06/25/2012 11:00 AM, Petr Spacek wrote:
Hello,

sorry for a big delay.

On 06/20/2012 02:25 PM, Gavin Spurgeon wrote:
Hi All,

Just have a quick question re: $subject

I have seen some BZ's about this, but just wanted to check with the list
to see what people have to say about this.

I have an IPA Domain (example.com) and it is running as it should be.

I also have 2 Public DNS Servers that run all of my non IPA Zones (in
the 100s) I want these to DNS Serves to act as Standard Bind Slave
Servers for my IPA Domain (i.e. to do a simple AXFR from the IPA Master)
Current IPA (with bind-dyndb-ldap driver) supports AXFR itself. Problem lies
in SOA serial number update - it is not maintained for changes done via WebUI
or CLI. If you do any change through WebUI or CLI, you need to manually bump
the SOA serial number.
Any change via DNS dynamic update mechanism (nsupdate) will bump the SOA
serial automatically.

a, No adding the Public DNS Servers to IPA is not an option...
b, Is this possible *now*
You can "hack" current IPA and bump SOA serial number e.g. each hour (from
cron). In that case zone will be transferred each hour to slave server, but
you will waste some bandwidth.

c, does any one have any other suggestions, on how to get my desired goal ?
You have to set idnsAllowTransfer attribute in relevant zones, see
http://git.fedorahosted.org/git/?p=bind-dyndb-ldap.git;a=blob;f=README

d, if not, when will this be possible ?
Automatic SOA serial number update is on the roadmap for 3.0, stay tuned.

You can read recent discussion about this feature in archive: https://www.redhat.com/archives/freeipa-devel/2012-May/msg00047.html

IPA environment is multi-mastered and we are seeking for a best trade-off. The last proposed approach is "local SOA serial" - each BIND server will manage own SOA serial number.

Please read thread above and post your opinion.

Petr^2 Spacek

Gavin Spurgeon.
AKA Da Geek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to