OK, thanks. That would be "Dynamic updates", right? Then it is enabled.
$ ipa dnszone-show --all Zone name: hq.example.com dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com Zone name: hq.example.com. Active zone: TRUE Authoritative nameserver: ipa.hq.example.com. Administrator e-mail address: hostmaster.hq.example.com. SOA serial: 1427108043 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM krb5-self * AAAA; grant HQ.EXAMPLE.COM krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: FALSE nsrecord: ipa.hq.example.com. objectclass: idnszone, top, idnsrecord On 23 March 2015 at 12:27, Martin Basti <[email protected]> wrote: > On 23/03/15 12:19, Roberto Cornacchia wrote: > > BTW, shouldn't named.conf contain an "allow-update" statement? Mine > doesn't. Or is this managed differently? > > It is not needed. > bind-dyndb-ldap plugin overrides this configuration, you just need to > enable updates in IPA zone setting. > > Martin > > > > On 23 March 2015 at 12:16, Roberto Cornacchia < > [email protected]> wrote: > >> >> >> On 23 March 2015 at 10:35, Petr Spacek <[email protected]> wrote: >> >>> On 23.3.2015 10:21, Roberto Cornacchia wrote: >>> > About the DNS update, this is what the debug log has to say: >>> > >>> > Found zone name: hq.example.com >>> > The master is: ipa.hq.example.com >>> > start_gssrequest >>> > Found realm from ticket: HQ.EXAMPLE.COM >>> > send_gssrequest >>> > *; Communication with 192.168.0.72#53 failed: operation canceled* >>> > *Reply from SOA query:* >>> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4923 >>> > ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 >>> > ;; QUESTION SECTION: >>> > ;1835417091.sig-ipa.hq.example.com. ANY TKEY >>> > >>> > response to SOA query was unsuccessful >>> >>> - Please verify that 192.168.0.72 is the correct IP address of the >>> FreeIPA server. >>> >> >> Positive >> >> >>> - Please check named.logs on the server side to see if there are any >>> complains >>> about unsuccessful key negotiation with client. >>> >>> >> I raised named's log level to debug 10 and restarted >> Ran ipa-client-install again. >> The log shows many queries from the client, for A/AAA/SOA record types, >> both about the server and the client. All approved, no problem. >> The log does not seem to contain a single failure / rejection. >> >> However: >> 1) The client reports that response to SOA query was unsuccessful. The >> server log does not say anything about this. >> 2) The server log does not contain any update request >> >> >>> > Notice that is is *different* from what I got before the chronyd >>> change. >>> > Before, there was not even a reply: >>> > >>> > Found zone name: hq.example.com >>> > The master is: ipa.hq.example.com >>> > start_gssrequest >>> > Found realm from ticket: HQ.EXAMPLE.COM >>> > send_gssrequest >>> > *; Communication with 192.168.0.72#53 failed: operation canceled* >>> > *could not reach any name server* >>> >>> Interesting, this should not be related to time synchronization in any >>> way. >>> DNS server simply did not return any answer. >>> >>> -- >>> Petr^2 Spacek >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> > > > > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
