On 20.5.2015 17:38, Brian Koontz wrote: > Running FreeIPA 4.1.4, Fedora 21. Trying to get dynamic DNS updates on > clients to work following these instructions: > > http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG > > (Using GSS-TSIG isn't an option because I have no way of authenticating > every time a client IP changes.)
Generally, GSS-TSIG with Kerberos should not be affected by changes in client's IP address and is strongly recommended over TSIG. > I've reread the instructions several times, but each time I get "update > failed: REFUSED". Logs aren't showing anything useful other than the query > is being refused. Is this document missing an important step? Yes, thank you for catching this! I added 'ipa dnszone-mod --dynamic-update=1' command to the how-to: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG#Server > (I saw no > need to create a DNS/ service as there should be no krb5 authentication > involved here...) This is correct assumption, you should not need it. Thank you for your time! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
