On 02/08/2017 11:59 PM, Ben Roberts wrote: > Hi all, > > This is a question more about bind-dyndb-ldap rather than freeipa, but > I understand it's written/maintained by the freeipa project and so > this might be the most appropriate place to ask. I have setup > bind-dyndb-ldap to read some zones from openldap, with multiple > nameservers acting as masters and one nameserver running as a slave > via the usual notify/transfer mechanism. I'm not seeing any DS records > transfer across to the slave nameserver, nor when I manually query the > primaries with an AFXR request. This includes both the apex DS > records, automatically generated by bind-dyndb-ldap, but more > importantly the glue dSRecord objects for a delegated subdomain. > > I note that the dSRecord entries are present in > /var/named/dyndb-ldap/$view/master/$zone/raw but not present in > /var/named/dyndb-ldap/$view/master/$zone/signed. > > Example (domain name and ip addresses obfuscated, but all other fields > are unmodified): > $ dig +noall +answer DS subdomain.example.local @127.0.01 > subdomain.example.local. 600 IN DS 38589 7 1 > 6C410EF5A47631FBA2C3BC295A90363EA86A1846 > subdomain.example.local. 600 IN DS 38589 7 2 > 23E22A49BBF2AD0E3F4668CB4C0DB52EE60ACA4308C1DE002A47AD7B 99734334 > > $ dig +noall +answer AXFR subdomain.example.local @127.0.0.1 > <http://127.0.0.1>| head -n 1 > subdomain.example.local. 600 IN SOA ns1.example.local. > hostmaster.example.local. 2016050416 43200 3600 1209600 3600 > > $ dig +noall +answer AXFR subdomain.example.local @127.0.0.1 > <http://127.0.0.1>| grep '\bDS\b' > $ > > This behaviour doesn't seem right to me. I would expect the DS records > to be transferred to the slaves as normal so that any glue records are > correctly present on all nameservers. I can't see any references in > the bind-dyndb-ldap wiki/readme or code comments that would explain DS > records being treated specially, but please do correct me if I'm wrong. > > Regards, > Ben Roberts > > Hi,
when I add a DS record to LDAP (without any DNSSEC configuration), it is included in my AXFR transfer. I'm using bind-dyndb-ldap-10.1. I suppose you have DNSSEC configured. Could you be affected by the limitations mentioned in [1]? [1] - https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates#Limitationsmissingfeatures -- Tomas Krizek
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
