On 11.7.2016 15:40, Anthony Clark wrote: > Thanks for the answer, > > I just wanted to confirm: Various "DNS health checks" complain about SOA > serials not being the same. Are those safe to ignore?
Yes, unless you are doing incremental zone transfers. > I have 2 FreeIPA servers for basic redundancy. Should I not be pointing my > hosts at both FreeIPA hosts for DNS? It is okay to point clients to both servers as long as the clients are not doing incremental zone transfers. If you plan to do incremental zone transfers, point client to single IPA servers. That is it. Petr^2 Spacek > Anthony > > On Mon, Jul 11, 2016 at 3:33 AM, Petr Spacek <pspa...@redhat.com> wrote: > >> On 8.7.2016 19:13, Anthony Clark wrote: >>> Hello All, >>> >>> I have two FreeIPA servers set up as follows: >>> >>> ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir >> --setup-dns >>> --ssh-trust-dns --forwarder=1.2.3.4 >>> >>> ns02: ipa-replica-install >>> /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca >> --mkhomedir >>> --ssh-trust-dns --setup-dns --forwarder=1.2.3.4 >>> >>> >>> Now, after being in use for a few months, my SOA serial numbers are >>> different as reported by the two servers: >>> >>> ns01 reports 1467996578 >>> ns02 reports 1467996455 >>> >>> [root@ns02 ~]# ipa dnszone-show dev.redacted.net >>> ... >>> SOA serial: 1467996455 >>> ... >>> >>> Same result on ns01, 1467996455 >>> >>> ipa-replica-conncheck is fine. >>> >>> After an "ipactl restart" on ns02 (thinking that I needed to refresh the >>> ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond* >>> that of ns01: >>> >>> ns01: 1467996578 >>> ns02: 1467997519 >>> >>> Another "ipactl restart" on ns02 results in: >>> >>> ns01: 1467996578 >>> ns02: 1467997595 >>> >>> running "ipactl restart" on ns01 results in: >>> >>> ns01: 1467997873 >>> ns02: 1467997595 >>> >>> ns02 doesn't seem to be getting its serial number from ns01 at all. >>> >>> Did I set up ns02 incorrectly? Should I have skipped the "--setup-dns" >> on >>> the replica? >>> >>> Does anyone have any suggestions on how to debug this further? >> >> Hello, >> >> this is in fact expected. IPA has multi-master DNS so serials are not >> synced. >> >> This is documented in >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#zone-transfers >> >> I hope it helps. >> >> -- >> Petr^2 Spacek >> > -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
