subject:"\[Freeipa\-users\] FreeIPA 4.1.4 DNS notifications not being sent to slaves"

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

2015-05-06 Thread nathan

Oh I feel silly now.  I had the wrong IP in DNS for the server, so
although forward and reverse lookups were working, it was sending the
update to a server that was not a DNS server.

Strangely enough, the logs did not show this attempt to notify the wrong
server, they just ignored it completely.  I fixed the IP and this is
working now.

Thanks!

> Hello!
>
> On 5.5.2015 00:24, nat...@nathanpeters.com wrote:
>> bind.x86_6432:9.9.4-20.el7.centos.pkcs11
>> @mkosek-freeipa
>> bind-dyndb-ldap.x86_64 6.1-1.el7.centos
>
> This version works for me (tested on Fedora 21).
>
>> And for reference here are the relevant A and NS records from my domain
>>
>> @ NS dc1.mydomain.net.
>> @ NS dc2.mydomain.net.
>> @ NS dns1.mydomain.net.
>> dns1 A 10.21.0.14
>
> I would recommend you to double check if commands
>
> $ dig @ dc1.mydomain.net. A
> $ dig @ dc2.mydomain.net. A
> $ dig @ dns1.mydomain.net. A
>
> actually return an IP addresses or not. Unfortunately BIND does not report
> an
> error if it is unable to resolve the name and silently ignores the name
> when
> notifications are sent.
>
> For testing purposes I use these commands (on server):
> $ tcpdump -i any 'port 53'
> $ rndc notify mydomain.net.
>
> Look for a line from tcpdump with note 'notify' in it. I can see the
> notify
> packet as soon as BIND prints 'sending notifies' message to the journal.
>
> I hope this helps.
>
> Petr^2 Spacek
>
>>> Hello!
>>>
>>> On 2.5.2015 17:12, Nathan Peters wrote:
>>>> The last 3 sentences of my original post refer to me adding the NS
>>>> records for
>>>> the slave.  Is that what you mean?
>>>>
>>>> "I have also ensured that the slave hostname and IP are in FreeIPA
>>>> DNS.
>>>> I
>>>> have also added an NS entry pointing to the slave."
>>>
>>> Which version of FreeIPA and bind-dyndb-ldap are you using?
>>>
>>> I will look into it.
>>>
>>> Petr^2 Spacek
>>>
>>>
>>>> -Original Message- From: Baird, Josh
>>>> Sent: Saturday, May 02, 2015 7:33 AM
>>>> To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com
>>>> Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being
>>>> sent to
>>>> slaves
>>>>
>>>> Is the PowerDNS slave in the NS RRSet for the IPA domain?
>>>> Unfortuantely,
>>>> bind-dyndb-ldap does not support 'also-notify' which would allow us to
>>>> send
>>>> notifies each time a zone update occurs to slave servers that are not
>>>> in
>>>> the
>>>> RRSet [1].  To compensate for this in my environment, I had to lower
>>>> the
>>>> 'refresh' timer on the IPA zone.
>>>>
>>>> [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152
>>>>
>>>> -Original Message-
>>>> From: freeipa-users-boun...@redhat.com
>>>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of
>>>> nat...@nathanpeters.com
>>>> Sent: Friday, May 1, 2015 8:20 PM
>>>> To: freeipa-users@redhat.com
>>>> Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being
>>>> sent
>>>> to slaves
>>>>
>>>> I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.
>>>>
>>>> I also have another host running PowerDNS serving as a slave.
>>>> The FreeIPA servers are setup to allow transfers to the slave by IP.
>>>> When
>>>> adding the zone, the slave transfered it properly.
>>>>
>>>> However, when I update the zone in FreeIPA, although the serial number
>>>> changes, in the /var/log/messages I only see an attempt to transfer to
>>>> the
>>>> second IPA server, and not the slave.  This is the only log entry :
>>>>
>>>> May  2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending
>>>> notifies
>>>> (serial 1430528817) May  2 01:06:57 dc1 named-pkcs11[5897]: client
>>>> 10.178.0.99#29832: received notify for zone 'mydomain.net'
>>>>
>>>> I have restarted all services using ipactl restart several times.  I
>>>> have also
>>>> ensured that the slave hostname and IP are in FreeIPA DNS.  I have
>>>> also
>>>> added
>>>> an NS entry pointing to the slave.
>>>>
>>>> According to the FreeIPA manual, once that NS entry is added, any zone
>>>> updates
>>>> should trigger a notify, but still the only notifications go out to
>>>> FreeIPA
>>>> servers and nothing else.
>>>>
>>>> Any idea how to fix this so FreeIPA notifies non IPA servers?  I'm
>>>> pretty sure
>>>> I've followed all the instructions to the letter on this one...
>



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

2015-05-06 Thread Petr Spacek

Hello!

On 5.5.2015 00:24, nat...@nathanpeters.com wrote:
> bind.x86_6432:9.9.4-20.el7.centos.pkcs11
> @mkosek-freeipa
> bind-dyndb-ldap.x86_64 6.1-1.el7.centos 

This version works for me (tested on Fedora 21).

> And for reference here are the relevant A and NS records from my domain
> 
> @ NS dc1.mydomain.net.
> @ NS dc2.mydomain.net.
> @ NS dns1.mydomain.net.
> dns1 A 10.21.0.14

I would recommend you to double check if commands

$ dig @ dc1.mydomain.net. A
$ dig @ dc2.mydomain.net. A
$ dig @ dns1.mydomain.net. A

actually return an IP addresses or not. Unfortunately BIND does not report an
error if it is unable to resolve the name and silently ignores the name when
notifications are sent.

For testing purposes I use these commands (on server):
$ tcpdump -i any 'port 53'
$ rndc notify mydomain.net.

Look for a line from tcpdump with note 'notify' in it. I can see the notify
packet as soon as BIND prints 'sending notifies' message to the journal.

I hope this helps.

Petr^2 Spacek

>> Hello!
>>
>> On 2.5.2015 17:12, Nathan Peters wrote:
>>> The last 3 sentences of my original post refer to me adding the NS
>>> records for
>>> the slave.  Is that what you mean?
>>>
>>> "I have also ensured that the slave hostname and IP are in FreeIPA DNS.
>>> I
>>> have also added an NS entry pointing to the slave."
>>
>> Which version of FreeIPA and bind-dyndb-ldap are you using?
>>
>> I will look into it.
>>
>> Petr^2 Spacek
>>
>>
>>> -Original Message- From: Baird, Josh
>>> Sent: Saturday, May 02, 2015 7:33 AM
>>> To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com
>>> Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being
>>> sent to
>>> slaves
>>>
>>> Is the PowerDNS slave in the NS RRSet for the IPA domain?
>>> Unfortuantely,
>>> bind-dyndb-ldap does not support 'also-notify' which would allow us to
>>> send
>>> notifies each time a zone update occurs to slave servers that are not in
>>> the
>>> RRSet [1].  To compensate for this in my environment, I had to lower the
>>> 'refresh' timer on the IPA zone.
>>>
>>> [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152
>>>
>>> -Original Message-
>>> From: freeipa-users-boun...@redhat.com
>>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of
>>> nat...@nathanpeters.com
>>> Sent: Friday, May 1, 2015 8:20 PM
>>> To: freeipa-users@redhat.com
>>> Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent
>>> to slaves
>>>
>>> I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.
>>>
>>> I also have another host running PowerDNS serving as a slave.
>>> The FreeIPA servers are setup to allow transfers to the slave by IP.
>>> When
>>> adding the zone, the slave transfered it properly.
>>>
>>> However, when I update the zone in FreeIPA, although the serial number
>>> changes, in the /var/log/messages I only see an attempt to transfer to
>>> the
>>> second IPA server, and not the slave.  This is the only log entry :
>>>
>>> May  2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending
>>> notifies
>>> (serial 1430528817) May  2 01:06:57 dc1 named-pkcs11[5897]: client
>>> 10.178.0.99#29832: received notify for zone 'mydomain.net'
>>>
>>> I have restarted all services using ipactl restart several times.  I
>>> have also
>>> ensured that the slave hostname and IP are in FreeIPA DNS.  I have also
>>> added
>>> an NS entry pointing to the slave.
>>>
>>> According to the FreeIPA manual, once that NS entry is added, any zone
>>> updates
>>> should trigger a notify, but still the only notifications go out to
>>> FreeIPA
>>> servers and nothing else.
>>>
>>> Any idea how to fix this so FreeIPA notifies non IPA servers?  I'm
>>> pretty sure
>>> I've followed all the instructions to the letter on this one...

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

2015-05-05 Thread Andrey Ptashnik

I did notice the same behavior.

This is my setup:

[root@ipa-idm]# yum list installed ipa-*
Installed Packages
ipa-admintools.x86_64  
   4.1.0-18.el7_1.3
 
@rhui-REGION-rhel-server-releases
ipa-client.x86_64  
   4.1.0-18.el7_1.3
 
@rhui-REGION-rhel-server-releases
ipa-python.x86_64  
   4.1.0-18.el7_1.3
 
@rhui-REGION-rhel-server-releases
ipa-server.x86_64  
   4.1.0-18.el7_1.3
 
@rhui-REGION-rhel-server-releases

[root@ipa-idm]# yum list installed bind*
Installed Packages
bind.x86_64
  32:9.9.4-18.el7_1.1  
 
@rhui-REGION-rhel-server-releases
bind-dyndb-ldap.x86_64 
  6.0-2.el7
 
@rhui-REGION-rhel-server-releases
bind-libs.x86_64   
  32:9.9.4-18.el7_1.1  
 
@rhui-REGION-rhel-server-releases
bind-libs-lite.x86_64  
  32:9.9.4-18.el7_1.1  
 
@rhui-REGION-rhel-server-releases
bind-license.noarch
  32:9.9.4-18.el7_1.1  
 
@rhui-REGION-rhel-server-releases
bind-utils.x86_64  
  32:9.9.4-18.el7_1.1  
 
@rhui-REGION-rhel-server-releases

In my setup slaves are various DNS servers including Win2k3, Win2k8 and 
Bind that I don’t have access to, but according to IPA server logs they 
don’t receive “NOTIFY” messages OR IPA server does not send them to slaves.


Regards,

Andrey





On 5/4/15, 10:24 PM, "nat...@nathanpeters.com"  
wrote:

>freeipa-admintools.x86_64  4.1.4-1.el7.centos   
>@mkosek-freeipa
>freeipa-client.x86_64  4.1.4-1.el7.centos   
>@mkosek-freeipa
>freeipa-python.x86_64  4.1.4-1.el7.centos   
>@mkosek-freeipa
>freeipa-server.x86_64  4.1.4-1.el7.centos   
>@mkosek-freeipa
>freeipa-server-trust-ad.x86_64 4.1.4-1.el7.centos   
>@mkosek-freeipa
>
>bind.x86_6432:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-dyndb-ldap.x86_64 6.1-1.el7.centos 
>@mkosek-freeipa
>bind-libs.x86_64   32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-libs-lite.x86_64  32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-license.noarch32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-pkcs11.x86_64 32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-pkcs11-libs.x86_6432:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>bind-pkcs11-utils.x86_64   32:9.9.4-20.el7.centos.pkcs11
>@mkosek-freeipa
>
>And for reference here are the relevant A and NS records from my domain
>
>@ NS dc1.mydomain.net.
>@ NS dc2.mydomain.net.
>@ NS dns1.mydomain.net.
>dns1 A 10.21.0.14
>
>> Hello!
>>
>> On 2.5.2015 17:12, Nathan Peters wrote:
>>> The last 3 sentences of my original post refer to me adding the NS
>>> records for
>>> the slave.  Is that what you mean?
>>>
>>> "I have also ensured that the slave hostname and IP are in FreeIPA DNS.
>>> I
>>> have also added an NS entry pointing to the slave."
>>
>> Which version of FreeIPA and bind-dyndb-ldap are you using?
>>
>> I will look into it.
>>
>> Petr^2 Spacek
>>
>>
>>> -Original Message- From: Baird, Josh
>>> Sent: Saturday, May 02, 2015 7:33 AM
>>> To:

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

2015-05-04 Thread nathan

freeipa-admintools.x86_64  4.1.4-1.el7.centos   
@mkosek-freeipa
freeipa-client.x86_64  4.1.4-1.el7.centos   
@mkosek-freeipa
freeipa-python.x86_64  4.1.4-1.el7.centos   
@mkosek-freeipa
freeipa-server.x86_64  4.1.4-1.el7.centos   
@mkosek-freeipa
freeipa-server-trust-ad.x86_64 4.1.4-1.el7.centos   
@mkosek-freeipa

bind.x86_6432:9.9.4-20.el7.centos.pkcs11
@mkosek-freeipa
bind-dyndb-ldap.x86_64 6.1-1.el7.centos 
@mkosek-freeipa
bind-libs.x86_64   32:9.9.4-20.el7.centos.pkcs11
@mkosek-freeipa
bind-libs-lite.x86_64  32:9.9.4-20.el7.centos.pkcs11
@mkosek-freeipa
bind-license.noarch32:9.9.4-20.el7.centos.pkcs11
@mkosek-freeipa
bind-pkcs11.x86_64 32:9.9.4-20.el7.centos.pkcs11
@mkosek-freeipa
bind-pkcs11-libs.x86_6432:9.9.4-20.el7.centos.pkcs11
@mkosek-freeipa
bind-pkcs11-utils.x86_64   32:9.9.4-20.el7.centos.pkcs11
@mkosek-freeipa

And for reference here are the relevant A and NS records from my domain

@ NS dc1.mydomain.net.
@ NS dc2.mydomain.net.
@ NS dns1.mydomain.net.
dns1 A 10.21.0.14

> Hello!
>
> On 2.5.2015 17:12, Nathan Peters wrote:
>> The last 3 sentences of my original post refer to me adding the NS
>> records for
>> the slave.  Is that what you mean?
>>
>> "I have also ensured that the slave hostname and IP are in FreeIPA DNS.
>> I
>> have also added an NS entry pointing to the slave."
>
> Which version of FreeIPA and bind-dyndb-ldap are you using?
>
> I will look into it.
>
> Petr^2 Spacek
>
>
>> -Original Message- From: Baird, Josh
>> Sent: Saturday, May 02, 2015 7:33 AM
>> To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com
>> Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being
>> sent to
>> slaves
>>
>> Is the PowerDNS slave in the NS RRSet for the IPA domain?
>> Unfortuantely,
>> bind-dyndb-ldap does not support 'also-notify' which would allow us to
>> send
>> notifies each time a zone update occurs to slave servers that are not in
>> the
>> RRSet [1].  To compensate for this in my environment, I had to lower the
>> 'refresh' timer on the IPA zone.
>>
>> [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152
>>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of
>> nat...@nathanpeters.com
>> Sent: Friday, May 1, 2015 8:20 PM
>> To: freeipa-users@redhat.com
>> Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent
>> to slaves
>>
>> I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.
>>
>> I also have another host running PowerDNS serving as a slave.
>> The FreeIPA servers are setup to allow transfers to the slave by IP.
>> When
>> adding the zone, the slave transfered it properly.
>>
>> However, when I update the zone in FreeIPA, although the serial number
>> changes, in the /var/log/messages I only see an attempt to transfer to
>> the
>> second IPA server, and not the slave.  This is the only log entry :
>>
>> May  2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending
>> notifies
>> (serial 1430528817) May  2 01:06:57 dc1 named-pkcs11[5897]: client
>> 10.178.0.99#29832: received notify for zone 'mydomain.net'
>>
>> I have restarted all services using ipactl restart several times.  I
>> have also
>> ensured that the slave hostname and IP are in FreeIPA DNS.  I have also
>> added
>> an NS entry pointing to the slave.
>>
>> According to the FreeIPA manual, once that NS entry is added, any zone
>> updates
>> should trigger a notify, but still the only notifications go out to
>> FreeIPA
>> servers and nothing else.
>>
>> Any idea how to fix this so FreeIPA notifies non IPA servers?  I'm
>> pretty sure
>> I've followed all the instructions to the letter on this one...
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

2015-05-04 Thread Petr Spacek

Hello!

On 2.5.2015 17:12, Nathan Peters wrote:
> The last 3 sentences of my original post refer to me adding the NS records for
> the slave.  Is that what you mean?
> 
> "I have also ensured that the slave hostname and IP are in FreeIPA DNS.  I
> have also added an NS entry pointing to the slave."

Which version of FreeIPA and bind-dyndb-ldap are you using?

I will look into it.

Petr^2 Spacek


> -Original Message- From: Baird, Josh
> Sent: Saturday, May 02, 2015 7:33 AM
> To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com
> Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to
> slaves
> 
> Is the PowerDNS slave in the NS RRSet for the IPA domain?  Unfortuantely,
> bind-dyndb-ldap does not support 'also-notify' which would allow us to send
> notifies each time a zone update occurs to slave servers that are not in the
> RRSet [1].  To compensate for this in my environment, I had to lower the
> 'refresh' timer on the IPA zone.
> 
> [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152
> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of nat...@nathanpeters.com
> Sent: Friday, May 1, 2015 8:20 PM
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to 
> slaves
> 
> I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.
> 
> I also have another host running PowerDNS serving as a slave.
> The FreeIPA servers are setup to allow transfers to the slave by IP.  When
> adding the zone, the slave transfered it properly.
> 
> However, when I update the zone in FreeIPA, although the serial number
> changes, in the /var/log/messages I only see an attempt to transfer to the
> second IPA server, and not the slave.  This is the only log entry :
> 
> May  2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies
> (serial 1430528817) May  2 01:06:57 dc1 named-pkcs11[5897]: client
> 10.178.0.99#29832: received notify for zone 'mydomain.net'
> 
> I have restarted all services using ipactl restart several times.  I have also
> ensured that the slave hostname and IP are in FreeIPA DNS.  I have also added
> an NS entry pointing to the slave.
> 
> According to the FreeIPA manual, once that NS entry is added, any zone updates
> should trigger a notify, but still the only notifications go out to FreeIPA
> servers and nothing else.
> 
> Any idea how to fix this so FreeIPA notifies non IPA servers?  I'm pretty sure
> I've followed all the instructions to the letter on this one...
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

2015-05-02 Thread Nathan Peters

The last 3 sentences of my original post refer to me adding the NS records 
for the slave.  Is that what you mean?


"I have also ensured that the slave hostname and IP are in FreeIPA DNS.  I 
have also added an NS entry pointing to the slave."


-Original Message- 
From: Baird, Josh

Sent: Saturday, May 02, 2015 7:33 AM
To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent 
to slaves


Is the PowerDNS slave in the NS RRSet for the IPA domain?  Unfortuantely, 
bind-dyndb-ldap does not support 'also-notify' which would allow us to send 
notifies each time a zone update occurs to slave servers that are not in the 
RRSet [1].  To compensate for this in my environment, I had to lower the 
'refresh' timer on the IPA zone.


[1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of 
nat...@nathanpeters.com

Sent: Friday, May 1, 2015 8:20 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to 
slaves


I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.

I also have another host running PowerDNS serving as a slave.
The FreeIPA servers are setup to allow transfers to the slave by IP.  When 
adding the zone, the slave transfered it properly.


However, when I update the zone in FreeIPA, although the serial number 
changes, in the /var/log/messages I only see an attempt to transfer to the 
second IPA server, and not the slave.  This is the only log entry :


May  2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending 
notifies (serial 1430528817) May  2 01:06:57 dc1 named-pkcs11[5897]: client 
10.178.0.99#29832: received notify for zone 'mydomain.net'


I have restarted all services using ipactl restart several times.  I have 
also ensured that the slave hostname and IP are in FreeIPA DNS.  I have also 
added an NS entry pointing to the slave.


According to the FreeIPA manual, once that NS entry is added, any zone 
updates should trigger a notify, but still the only notifications go out to 
FreeIPA servers and nothing else.


Any idea how to fix this so FreeIPA notifies non IPA servers?  I'm pretty 
sure I've followed all the instructions to the letter on this one...



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project 


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

2015-05-02 Thread Baird, Josh

Is the PowerDNS slave in the NS RRSet for the IPA domain?  Unfortuantely, 
bind-dyndb-ldap does not support 'also-notify' which would allow us to send 
notifies each time a zone update occurs to slave servers that are not in the 
RRSet [1].  To compensate for this in my environment, I had to lower the 
'refresh' timer on the IPA zone.

[1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of nat...@nathanpeters.com
Sent: Friday, May 1, 2015 8:20 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to 
slaves

I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.

I also have another host running PowerDNS serving as a slave.
The FreeIPA servers are setup to allow transfers to the slave by IP.  When 
adding the zone, the slave transfered it properly.

However, when I update the zone in FreeIPA, although the serial number changes, 
in the /var/log/messages I only see an attempt to transfer to the second IPA 
server, and not the slave.  This is the only log entry :

May  2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies 
(serial 1430528817) May  2 01:06:57 dc1 named-pkcs11[5897]: client 
10.178.0.99#29832: received notify for zone 'mydomain.net'

I have restarted all services using ipactl restart several times.  I have also 
ensured that the slave hostname and IP are in FreeIPA DNS.  I have also added 
an NS entry pointing to the slave.

According to the FreeIPA manual, once that NS entry is added, any zone updates 
should trigger a notify, but still the only notifications go out to FreeIPA 
servers and nothing else.

Any idea how to fix this so FreeIPA notifies non IPA servers?  I'm pretty sure 
I've followed all the instructions to the letter on this one...


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

2015-05-01 Thread nathan

I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.

I also have another host running PowerDNS serving as a slave.
The FreeIPA servers are setup to allow transfers to the slave by IP.  When
adding the zone, the slave transfered it properly.

However, when I update the zone in FreeIPA, although the serial number
changes, in the /var/log/messages I only see an attempt to transfer to the
second IPA server, and not the slave.  This is the only log entry :

May  2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending
notifies (serial 1430528817)
May  2 01:06:57 dc1 named-pkcs11[5897]: client 10.178.0.99#29832: received
notify for zone 'mydomain.net'

I have restarted all services using ipactl restart several times.  I have
also ensured that the slave hostname and IP are in FreeIPA DNS.  I have
also added an NS entry pointing to the slave.

According to the FreeIPA manual, once that NS entry is added, any zone
updates should trigger a notify, but still the only notifications go out
to FreeIPA servers and nothing else.

Any idea how to fix this so FreeIPA notifies non IPA servers?  I'm pretty
sure I've followed all the instructions to the letter on this one...


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

[Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

8 matches

Site Navigation

Mail list logo

Footer information