I did notice the same behavior. This is my setup:
[root@ipa-idm]# yum list installed ipa-* Installed Packages ipa-admintools.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases ipa-client.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases ipa-python.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases ipa-server.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases [root@ipa-idm]# yum list installed bind* Installed Packages bind.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-dyndb-ldap.x86_64 6.0-2.el7 @rhui-REGION-rhel-server-releases bind-libs.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-libs-lite.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-license.noarch 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-utils.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases In my setup slaves are various DNS servers including Win2k3, Win2k8 and Bind that I don’t have access to, but according to IPA server logs they don’t receive “NOTIFY” messages OR IPA server does not send them to slaves. Regards, Andrey On 5/4/15, 10:24 PM, "nat...@nathanpeters.com" <nat...@nathanpeters.com> wrote: >freeipa-admintools.x86_64 4.1.4-1.el7.centos >@mkosek-freeipa >freeipa-client.x86_64 4.1.4-1.el7.centos >@mkosek-freeipa >freeipa-python.x86_64 4.1.4-1.el7.centos >@mkosek-freeipa >freeipa-server.x86_64 4.1.4-1.el7.centos >@mkosek-freeipa >freeipa-server-trust-ad.x86_64 4.1.4-1.el7.centos >@mkosek-freeipa > >bind.x86_64 32:9.9.4-20.el7.centos.pkcs11 >@mkosek-freeipa >bind-dyndb-ldap.x86_64 6.1-1.el7.centos >@mkosek-freeipa >bind-libs.x86_64 32:9.9.4-20.el7.centos.pkcs11 >@mkosek-freeipa >bind-libs-lite.x86_64 32:9.9.4-20.el7.centos.pkcs11 >@mkosek-freeipa >bind-license.noarch 32:9.9.4-20.el7.centos.pkcs11 >@mkosek-freeipa >bind-pkcs11.x86_64 32:9.9.4-20.el7.centos.pkcs11 >@mkosek-freeipa >bind-pkcs11-libs.x86_64 32:9.9.4-20.el7.centos.pkcs11 >@mkosek-freeipa >bind-pkcs11-utils.x86_64 32:9.9.4-20.el7.centos.pkcs11 >@mkosek-freeipa > >And for reference here are the relevant A and NS records from my domain > >@ NS dc1.mydomain.net. >@ NS dc2.mydomain.net. >@ NS dns1.mydomain.net. >dns1 A 10.21.0.14 > >> Hello! >> >> On 2.5.2015 17:12, Nathan Peters wrote: >>> The last 3 sentences of my original post refer to me adding the NS >>> records for >>> the slave. Is that what you mean? >>> >>> "I have also ensured that the slave hostname and IP are in FreeIPA DNS. >>> I >>> have also added an NS entry pointing to the slave." >> >> Which version of FreeIPA and bind-dyndb-ldap are you using? >> >> I will look into it. >> >> Petr^2 Spacek >> >> >>> -----Original Message----- From: Baird, Josh >>> Sent: Saturday, May 02, 2015 7:33 AM >>> To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com >>> Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being >>> sent to >>> slaves >>> >>> Is the PowerDNS slave in the NS RRSet for the IPA domain? >>> Unfortuantely, >>> bind-dyndb-ldap does not support 'also-notify' which would allow us to >>> send >>> notifies each time a zone update occurs to slave servers that are not >>>in >>> the >>> RRSet [1]. To compensate for this in my environment, I had to lower >>>the >>> 'refresh' timer on the IPA zone. >>> >>> [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152 >>> >>> -----Original Message----- >>> From: freeipa-users-boun...@redhat.com >>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of >>> nat...@nathanpeters.com >>> Sent: Friday, May 1, 2015 8:20 PM >>> To: freeipa-users@redhat.com >>> Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent >>> to slaves >>> >>> I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. >>> >>> I also have another host running PowerDNS serving as a slave. >>> The FreeIPA servers are setup to allow transfers to the slave by IP. >>> When >>> adding the zone, the slave transfered it properly. >>> >>> However, when I update the zone in FreeIPA, although the serial number >>> changes, in the /var/log/messages I only see an attempt to transfer to >>> the >>> second IPA server, and not the slave. This is the only log entry : >>> >>> May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending >>> notifies >>> (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client >>> 10.178.0.99#29832: received notify for zone 'mydomain.net' >>> >>> I have restarted all services using ipactl restart several times. I >>> have also >>> ensured that the slave hostname and IP are in FreeIPA DNS. I have also >>> added >>> an NS entry pointing to the slave. >>> >>> According to the FreeIPA manual, once that NS entry is added, any zone >>> updates >>> should trigger a notify, but still the only notifications go out to >>> FreeIPA >>> servers and nothing else. >>> >>> Any idea how to fix this so FreeIPA notifies non IPA servers? I'm >>> pretty sure >>> I've followed all the instructions to the letter on this one... >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project