first of all, please always keep mailing list in Cc. I re-added it back. See

On 2.5.2016 14:40, Wanka, Silvio wrote:
> Petr Spacek wrote:
>> >
> Again Thx for you answer!
>> > It works differently. DNS updates from clients would be forwarded to AD
>> > server (as today) and two-way trust would enable AD to authenticate IPA
>> > clients.
> This is not what I need, my IPA "clients" are always servers with statically 
> IP addresses, i.e. "ipa-client-install" creates a fix A record and the 
> enabled "Allow PTR sync" does nothing because it can't.
>> > Anyway, neither slave nor stub would help you with this problem as both
>> > types are by definition read-only.
> In bind exists an option "allow-update-forwarding" which would offer such 
> possibility but then IPA must use it if the a record should be created but 
> the zone is locally. Maybe in the future. I know from Windows DNS servers 
> which are not Domain Controllers what the forward the request of its clients 
> to create or update a DNS record to the DCs if the domain is configured e.g. 
> as stub zone on this non DC DNS servers.

AFAIK this works only when local server is authoritative for the zone. As far
as I understood you IPA is not authoritative for the reverse zones so it would
do nothing.

I'm curious how this options works with GSS-TSIG updates, I never tried that.

You might set-up slave zone manually in named.conf and then try to enable this
option. Please report your findings to the mailing list, I'm very curious.

I hope this will help.

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to