Thanks for the reply. It makes a bit more sense now.

I'm running FreeIPA 3.0.0 on CentOS 6.7

I followed your advice and was able to use dynamic update once I removed
the zone forwarder. However I've set the global config to "forward only",
but I'm still getting local resolution when I use dig from a client server.
I'd expect to see the external records instead.

I'm not seeing much in documentation how to troubleshoot this.

Also I realize we're falling into the realm of a different subject and can
start a fresh email chain if needed.

Thanks again,

Josh

On Wed, Feb 3, 2016 at 12:45 AM Martin Basti <mba...@redhat.com> wrote:

>
>
> On 03.02.2016 01:47, Joshua Ruybal wrote:
>
> Hi All,
>
> I've run into a frustrating issue regarding DNS Dynamic Updating.
>
> In a nutshell:
>
> If I enroll a new client when the forward policy on a dns zone is set to
> "disabled" I don't have a problem enrolling the client and updating the dns
> record.
>
> However if the policy of the zone is set to "only" or "first", nsupdate
> fails during the client install. Install logs says nsupdate: Specified Zone
> 'example.com' does not exist (NXDOMAIN).
>
> I'm seeing this in multiple zones, and all I need to change to fix it is
> to change the forwarding policy. However it's problematic as we start the
> rollout, since we will need to rely on external dns until we have all
> servers enrolled.
>
>
> Client Install Log Snippet:
>
>   2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt
>   2016-02-02T22:53:17Z DEBUG stdout=
>   2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does
> not exist (NXDOMAIN)
>   specified zone 'dev.example.net' does not exist (NXDOMAIN)
>
> Zone Configuration:
>
>   [admin@ipa01 ~]$ ipa dnszone-show --all
>   Zone name: dev.example.net
>   dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com
>     Zone name: dev.example.net
>     Authoritative nameserver: ipa01
>     Administrator e-mail address: hostmaster.dev.example.net.
>     SOA serial: 1454447236
>     SOA refresh: 3600
>     SOA retry: 900
>     SOA expire: 1209600
>     SOA minimum: 3600
>     BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
> krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;
>     Active zone: TRUE
>     Dynamic update: TRUE
>     Allow query: any;
>     Allow transfer: none;
>     Zone forwarders: 8.8.8.8
>     Forward policy: only
>     nsrecord: ipa01, ipa02
>     objectclass: top, idnsrecord, idnszone
>
> Any ideas on how to remedy this? I'd like to avoid updating records by
> hand if it can be avoided.
>
> Thanks!
> Josh
>
>
> Hello,
>
> which version of freeIPA do you use?
>
> If version is older than 4.1, then specifying forward policy and
> forwarders cause that zone work as forwardzone thus, you cannot add host
> there, because all queries ale forwarded to specified forwarders (8.8.8.8)
> which does not know zone dev.example.com
>
> If version is 4.1+ then nsupdate should work and it can be bug. However
> I'm curious why do you need forwarding in master zone, what is the use case?
>
> More details about forwardzones in IPA:
> http://www.freeipa.org/page/V4/Forward_zones
>
> IMO you need specify global forwarder to your external DNS server, instead
> of adding per zone forwarders.
>
>
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to