Thanks for the answer, I just wanted to confirm: Various "DNS health checks" complain about SOA serials not being the same. Are those safe to ignore?
I have 2 FreeIPA servers for basic redundancy. Should I not be pointing my hosts at both FreeIPA hosts for DNS? Thanks, Anthony On Mon, Jul 11, 2016 at 3:33 AM, Petr Spacek <[email protected]> wrote: > On 8.7.2016 19:13, Anthony Clark wrote: > > Hello All, > > > > I have two FreeIPA servers set up as follows: > > > > ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir > --setup-dns > > --ssh-trust-dns --forwarder=1.2.3.4 > > > > ns02: ipa-replica-install > > /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca > --mkhomedir > > --ssh-trust-dns --setup-dns --forwarder=1.2.3.4 > > > > > > Now, after being in use for a few months, my SOA serial numbers are > > different as reported by the two servers: > > > > ns01 reports 1467996578 > > ns02 reports 1467996455 > > > > [root@ns02 ~]# ipa dnszone-show dev.redacted.net > > ... > > SOA serial: 1467996455 > > ... > > > > Same result on ns01, 1467996455 > > > > ipa-replica-conncheck is fine. > > > > After an "ipactl restart" on ns02 (thinking that I needed to refresh the > > ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond* > > that of ns01: > > > > ns01: 1467996578 > > ns02: 1467997519 > > > > Another "ipactl restart" on ns02 results in: > > > > ns01: 1467996578 > > ns02: 1467997595 > > > > running "ipactl restart" on ns01 results in: > > > > ns01: 1467997873 > > ns02: 1467997595 > > > > ns02 doesn't seem to be getting its serial number from ns01 at all. > > > > Did I set up ns02 incorrectly? Should I have skipped the "--setup-dns" > on > > the replica? > > > > Does anyone have any suggestions on how to debug this further? > > Hello, > > this is in fact expected. IPA has multi-master DNS so serials are not > synced. > > This is documented in > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#zone-transfers > > I hope it helps. > > -- > Petr^2 Spacek >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
