Thanks for the reply. It makes a bit more sense now.

I'm running FreeIPA 3.0.0 on CentOS 6.7

I followed your advice and was able to use dynamic update once I removed
the zone forwarder. However I've set the global config to "forward only",
but I'm still getting local resolution when I use dig from a client server.
I'd expect to see the external records instead.

I'm not seeing much in documentation how to troubleshoot this.

Also I realize we're falling into the realm of a different subject and can
start a fresh email chain if needed.

Thanks again,


On Wed, Feb 3, 2016 at 12:45 AM Martin Basti <> wrote:

> On 03.02.2016 01:47, Joshua Ruybal wrote:
> Hi All,
> I've run into a frustrating issue regarding DNS Dynamic Updating.
> In a nutshell:
> If I enroll a new client when the forward policy on a dns zone is set to
> "disabled" I don't have a problem enrolling the client and updating the dns
> record.
> However if the policy of the zone is set to "only" or "first", nsupdate
> fails during the client install. Install logs says nsupdate: Specified Zone
> '' does not exist (NXDOMAIN).
> I'm seeing this in multiple zones, and all I need to change to fix it is
> to change the forwarding policy. However it's problematic as we start the
> rollout, since we will need to rely on external dns until we have all
> servers enrolled.
> Client Install Log Snippet:
>   2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt
>   2016-02-02T22:53:17Z DEBUG stdout=
>   2016-02-02T22:53:17Z DEBUG stderr=specified zone '' does
> not exist (NXDOMAIN)
>   specified zone '' does not exist (NXDOMAIN)
> Zone Configuration:
>   [admin@ipa01 ~]$ ipa dnszone-show --all
>   Zone name:
>   dn:,cn=dns,dc=example,dc=com
>     Zone name:
>     Authoritative nameserver: ipa01
>     Administrator e-mail address:
>     SOA serial: 1454447236
>     SOA refresh: 3600
>     SOA retry: 900
>     SOA expire: 1209600
>     SOA minimum: 3600
>     BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
> krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;
>     Active zone: TRUE
>     Dynamic update: TRUE
>     Allow query: any;
>     Allow transfer: none;
>     Zone forwarders:
>     Forward policy: only
>     nsrecord: ipa01, ipa02
>     objectclass: top, idnsrecord, idnszone
> Any ideas on how to remedy this? I'd like to avoid updating records by
> hand if it can be avoided.
> Thanks!
> Josh
> Hello,
> which version of freeIPA do you use?
> If version is older than 4.1, then specifying forward policy and
> forwarders cause that zone work as forwardzone thus, you cannot add host
> there, because all queries ale forwarded to specified forwarders (
> which does not know zone
> If version is 4.1+ then nsupdate should work and it can be bug. However
> I'm curious why do you need forwarding in master zone, what is the use case?
> More details about forwardzones in IPA:
> IMO you need specify global forwarder to your external DNS server, instead
> of adding per zone forwarders.
> Martin
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to