OK, thanks.
That would be "Dynamic updates", right? Then it is enabled.

$ ipa dnszone-show --all
Zone name: hq.example.com
  dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
  Zone name: hq.example.com.
  Active zone: TRUE
  Authoritative nameserver: ipa.hq.example.com.
  Administrator e-mail address: hostmaster.hq.example.com.
  SOA serial: 1427108043
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM
krb5-self * AAAA; grant HQ.EXAMPLE.COM krb5-self * SSHFP;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
  Allow PTR sync: FALSE
  nsrecord: ipa.hq.example.com.
  objectclass: idnszone, top, idnsrecord


On 23 March 2015 at 12:27, Martin Basti <mba...@redhat.com> wrote:

>  On 23/03/15 12:19, Roberto Cornacchia wrote:
>
> BTW, shouldn't named.conf contain an "allow-update" statement? Mine
> doesn't. Or is this managed differently?
>
> It is not needed.
> bind-dyndb-ldap plugin overrides this configuration, you just need to
> enable updates in IPA zone setting.
>
> Martin
>
>
>
> On 23 March 2015 at 12:16, Roberto Cornacchia <
> roberto.cornacc...@gmail.com> wrote:
>
>>
>>
>> On 23 March 2015 at 10:35, Petr Spacek <pspa...@redhat.com> wrote:
>>
>>> On 23.3.2015 10:21, Roberto Cornacchia wrote:
>>> > About the DNS update, this is what the debug log has to say:
>>> >
>>> > Found zone name: hq.example.com
>>> > The master is: ipa.hq.example.com
>>> > start_gssrequest
>>> > Found realm from ticket: HQ.EXAMPLE.COM
>>> > send_gssrequest
>>> > *; Communication with 192.168.0.72#53 failed: operation canceled*
>>> > *Reply from SOA query:*
>>> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:   4923
>>> > ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>> > ;; QUESTION SECTION:
>>> > ;1835417091.sig-ipa.hq.example.com. ANY TKEY
>>> >
>>> > response to SOA query was unsuccessful
>>>
>>> - Please verify that 192.168.0.72 is the correct IP address of the
>>> FreeIPA server.
>>>
>>
>>  Positive
>>
>>
>>> - Please check named.logs on the server side to see if there are any
>>> complains
>>> about unsuccessful key negotiation with client.
>>>
>>>
>>  I raised named's log level to debug 10 and restarted
>> Ran ipa-client-install again.
>> The log shows many queries from the client, for A/AAA/SOA record types,
>> both about the server and the client. All approved, no problem.
>> The log does not seem to contain a single failure / rejection.
>>
>>  However:
>> 1) The client reports that response to SOA query was unsuccessful. The
>> server log does not say anything about this.
>> 2) The server log does not contain any update request
>>
>>
>>> > Notice that is is *different* from what I got before the chronyd
>>> change.
>>> > Before, there was not even a reply:
>>> >
>>> > Found zone name: hq.example.com
>>> > The master is: ipa.hq.example.com
>>> > start_gssrequest
>>> > Found realm from ticket: HQ.EXAMPLE.COM
>>> > send_gssrequest
>>> > *; Communication with 192.168.0.72#53 failed: operation canceled*
>>> > *could not reach any name server*
>>>
>>> Interesting, this should not be related to time synchronization in any
>>> way.
>>> DNS server simply did not return any answer.
>>>
>>> --
>>> Petr^2 Spacek
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>
>
>
>
> --
> Martin Basti
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to