On 3.2.2016 23:18, Joshua Ruybal wrote:
> Thanks for the reply. It makes a bit more sense now.
> 
> I'm running FreeIPA 3.0.0 on CentOS 6.7
> 
> I followed your advice and was able to use dynamic update once I removed
> the zone forwarder. However I've set the global config to "forward only",
> but I'm still getting local resolution when I use dig from a client server.
> I'd expect to see the external records instead.
> 
> I'm not seeing much in documentation how to troubleshoot this.
> 
> Also I realize we're falling into the realm of a different subject and can
> start a fresh email chain if needed.

No problem. Please read
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html

it might explain what can and cannot be done with zone forwarders.

Petr^2 Spacek

> 
> Thanks again,
> 
> Josh
> 
> On Wed, Feb 3, 2016 at 12:45 AM Martin Basti <mba...@redhat.com> wrote:
> 
>>
>>
>> On 03.02.2016 01:47, Joshua Ruybal wrote:
>>
>> Hi All,
>>
>> I've run into a frustrating issue regarding DNS Dynamic Updating.
>>
>> In a nutshell:
>>
>> If I enroll a new client when the forward policy on a dns zone is set to
>> "disabled" I don't have a problem enrolling the client and updating the dns
>> record.
>>
>> However if the policy of the zone is set to "only" or "first", nsupdate
>> fails during the client install. Install logs says nsupdate: Specified Zone
>> 'example.com' does not exist (NXDOMAIN).
>>
>> I'm seeing this in multiple zones, and all I need to change to fix it is
>> to change the forwarding policy. However it's problematic as we start the
>> rollout, since we will need to rely on external dns until we have all
>> servers enrolled.
>>
>>
>> Client Install Log Snippet:
>>
>>   2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g
>> /etc/ipa/.dns_update.txt
>>   2016-02-02T22:53:17Z DEBUG stdout=
>>   2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does
>> not exist (NXDOMAIN)
>>   specified zone 'dev.example.net' does not exist (NXDOMAIN)
>>
>> Zone Configuration:
>>
>>   [admin@ipa01 ~]$ ipa dnszone-show --all
>>   Zone name: dev.example.net
>>   dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com
>>     Zone name: dev.example.net
>>     Authoritative nameserver: ipa01
>>     Administrator e-mail address: hostmaster.dev.example.net.
>>     SOA serial: 1454447236
>>     SOA refresh: 3600
>>     SOA retry: 900
>>     SOA expire: 1209600
>>     SOA minimum: 3600
>>     BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
>> krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;
>>     Active zone: TRUE
>>     Dynamic update: TRUE
>>     Allow query: any;
>>     Allow transfer: none;
>>     Zone forwarders: 8.8.8.8
>>     Forward policy: only
>>     nsrecord: ipa01, ipa02
>>     objectclass: top, idnsrecord, idnszone
>>
>> Any ideas on how to remedy this? I'd like to avoid updating records by
>> hand if it can be avoided.
>>
>> Thanks!
>> Josh
>>
>>
>> Hello,
>>
>> which version of freeIPA do you use?
>>
>> If version is older than 4.1, then specifying forward policy and
>> forwarders cause that zone work as forwardzone thus, you cannot add host
>> there, because all queries ale forwarded to specified forwarders (8.8.8.8)
>> which does not know zone dev.example.com
>>
>> If version is 4.1+ then nsupdate should work and it can be bug. However
>> I'm curious why do you need forwarding in master zone, what is the use case?
>>
>> More details about forwardzones in IPA:
>> http://www.freeipa.org/page/V4/Forward_zones
>>
>> IMO you need specify global forwarder to your external DNS server, instead
>> of adding per zone forwarders.
>>
>>
>> Martin
>>
> 
> 
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to