Hi, first of all, please always keep mailing list in Cc. I re-added it back. See below:
On 2.5.2016 14:40, Wanka, Silvio wrote: > Petr Spacek wrote: >> > > > Again Thx for you answer! > >> > It works differently. DNS updates from clients would be forwarded to AD >> > server (as today) and two-way trust would enable AD to authenticate IPA >> > clients. > This is not what I need, my IPA "clients" are always servers with statically > IP addresses, i.e. "ipa-client-install" creates a fix A record and the > enabled "Allow PTR sync" does nothing because it can't. > >> > Anyway, neither slave nor stub would help you with this problem as both >> > types are by definition read-only. > In bind exists an option "allow-update-forwarding" which would offer such > possibility but then IPA must use it if the a record should be created but > the zone is locally. Maybe in the future. I know from Windows DNS servers > which are not Domain Controllers what the forward the request of its clients > to create or update a DNS record to the DCs if the domain is configured e.g. > as stub zone on this non DC DNS servers. AFAIK this works only when local server is authoritative for the zone. As far as I understood you IPA is not authoritative for the reverse zones so it would do nothing. I'm curious how this options works with GSS-TSIG updates, I never tried that. You might set-up slave zone manually in named.conf and then try to enable this option. Please report your findings to the mailing list, I'm very curious. I hope this will help. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project