BTW, shouldn't named.conf contain an "allow-update" statement? Mine
doesn't. Or is this managed differently?


On 23 March 2015 at 12:16, Roberto Cornacchia <roberto.cornacc...@gmail.com>
wrote:

>
>
> On 23 March 2015 at 10:35, Petr Spacek <pspa...@redhat.com> wrote:
>
>> On 23.3.2015 10:21, Roberto Cornacchia wrote:
>> > About the DNS update, this is what the debug log has to say:
>> >
>> > Found zone name: hq.example.com
>> > The master is: ipa.hq.example.com
>> > start_gssrequest
>> > Found realm from ticket: HQ.EXAMPLE.COM
>> > send_gssrequest
>> > *; Communication with 192.168.0.72#53 failed: operation canceled*
>> > *Reply from SOA query:*
>> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:   4923
>> > ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> > ;; QUESTION SECTION:
>> > ;1835417091.sig-ipa.hq.example.com. ANY TKEY
>> >
>> > response to SOA query was unsuccessful
>>
>> - Please verify that 192.168.0.72 is the correct IP address of the
>> FreeIPA server.
>>
>
> Positive
>
>
>> - Please check named.logs on the server side to see if there are any
>> complains
>> about unsuccessful key negotiation with client.
>>
>>
> I raised named's log level to debug 10 and restarted
> Ran ipa-client-install again.
> The log shows many queries from the client, for A/AAA/SOA record types,
> both about the server and the client. All approved, no problem.
> The log does not seem to contain a single failure / rejection.
>
> However:
> 1) The client reports that response to SOA query was unsuccessful. The
> server log does not say anything about this.
> 2) The server log does not contain any update request
>
>
>> > Notice that is is *different* from what I got before the chronyd change.
>> > Before, there was not even a reply:
>> >
>> > Found zone name: hq.example.com
>> > The master is: ipa.hq.example.com
>> > start_gssrequest
>> > Found realm from ticket: HQ.EXAMPLE.COM
>> > send_gssrequest
>> > *; Communication with 192.168.0.72#53 failed: operation canceled*
>> > *could not reach any name server*
>>
>> Interesting, this should not be related to time synchronization in any
>> way.
>> DNS server simply did not return any answer.
>>
>> --
>> Petr^2 Spacek
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to