Re: [Freeipa-users] FreeIPA bind also-notify behavior.
On 4.11.2014 16:57, Matthew Sellers wrote:
Hi Guys,
Thanks for the previous replies. I hate to dig up and old thread, but im
still banging my head on this. I am trying to configure IPA to send notify
to slaves servers on manual updates from the web or CLI tools.
Dynamic DNS updates from an IPA client issuing an nsupdate works great, I
get an immediate zone transfer to zone NS slaves ( bind 9.x slaves).
Performing an update via IPA CLI ( for non-dynamic static record) tools
triggers nothing. The test documents and Petr's previous statements hold
true for the nsupdate case, is this also true for CLI driven updates as
well?
I have tested this on 3.3.5 (Fedora 20) and 4.1 (COPR) release.
Congratulations! You have found a regression in bind-dyndb-ldap:
https://fedorahosted.org/bind-dyndb-ldap/ticket/144
I have sent patch to the devel list and it is waiting for review at the
moment. It should be fixed in nearest release of bind-dyndb-ldap.
Thank you very much for catching this!
Petr^2 Spacek
On Wed, Sep 3, 2014 at 2:25 AM, Petr Spacek pspa...@redhat.com wrote:
On 1.9.2014 12:16, Dmitri Pal wrote:
On 09/01/2014 12:05 PM, Martin Kosek wrote:
On 09/01/2014 07:50 AM, Dmitri Pal wrote:
On 08/29/2014 09:32 PM, Matthew Sellers wrote:
Hi Everyone!
I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure
FreeIPA to
send notifies to non-IPA slaves, but it seems broken on IPA ( notify
packets
are never sent to to slaves ).
I have configured also-notify { nameserverip; }; in named.conf on my
FreeIPA
test host in the options section and watched for notify traffic with
tcpdump.
This document suggests that this is supported, and this is something I
have
used in non-IPA bind servers with no issues.
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer
I wanted to ask the list before I file a bug with more details. Is
anyone
using this bind feature on IPA with any success?
Thanks!
Matt
The DNS level change propagation is not supported between IPA
replicas instead
it uses LDAP replication to propagate the changes.
If you want another non IPA DNS server to be a slave then you can do
it. See
http://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation for
more
information.
I thought that from F20, bind-dyndb-ldap was capable of native DNS
operations
like AXFR/IXFR which can be used to actually deploy slave DNS servers. I
wonder
if also-notify is something different. CCing Petr Spacek to advise.
AFAIU slave DNS servers not controlled by IPA yes, replicas as slaves -
no.
Let me summarize:
- AXFR is supported (at least) by all versions RHEL 6.5 and newer versions
- IXFR is supported by bind-dyndb-ldap 4.0 and newer (Fedora 20+)
- DNS NOTIFY messages are always sent to servers listed in NS records
I.e. you have to add your non-IPA slave servers to NS records in
particular zone and then it should 'just work', no other configuration
(like 'also-notify') is necessary.
Please let me know if it doesn't work for you.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA bind also-notify behavior.
Hi Guys,
Thanks for the previous replies. I hate to dig up and old thread, but im
still banging my head on this. I am trying to configure IPA to send notify
to slaves servers on manual updates from the web or CLI tools.
Dynamic DNS updates from an IPA client issuing an nsupdate works great, I
get an immediate zone transfer to zone NS slaves ( bind 9.x slaves).
Performing an update via IPA CLI ( for non-dynamic static record) tools
triggers nothing. The test documents and Petr's previous statements hold
true for the nsupdate case, is this also true for CLI driven updates as
well?
I have tested this on 3.3.5 (Fedora 20) and 4.1 (COPR) release.
Thanks Guys!
On Wed, Sep 3, 2014 at 2:25 AM, Petr Spacek pspa...@redhat.com wrote:
On 1.9.2014 12:16, Dmitri Pal wrote:
On 09/01/2014 12:05 PM, Martin Kosek wrote:
On 09/01/2014 07:50 AM, Dmitri Pal wrote:
On 08/29/2014 09:32 PM, Matthew Sellers wrote:
Hi Everyone!
I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure
FreeIPA to
send notifies to non-IPA slaves, but it seems broken on IPA ( notify
packets
are never sent to to slaves ).
I have configured also-notify { nameserverip; }; in named.conf on my
FreeIPA
test host in the options section and watched for notify traffic with
tcpdump.
This document suggests that this is supported, and this is something I
have
used in non-IPA bind servers with no issues.
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer
I wanted to ask the list before I file a bug with more details. Is
anyone
using this bind feature on IPA with any success?
Thanks!
Matt
The DNS level change propagation is not supported between IPA
replicas instead
it uses LDAP replication to propagate the changes.
If you want another non IPA DNS server to be a slave then you can do
it. See
http://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation for
more
information.
I thought that from F20, bind-dyndb-ldap was capable of native DNS
operations
like AXFR/IXFR which can be used to actually deploy slave DNS servers. I
wonder
if also-notify is something different. CCing Petr Spacek to advise.
AFAIU slave DNS servers not controlled by IPA yes, replicas as slaves -
no.
Let me summarize:
- AXFR is supported (at least) by all versions RHEL 6.5 and newer versions
- IXFR is supported by bind-dyndb-ldap 4.0 and newer (Fedora 20+)
- DNS NOTIFY messages are always sent to servers listed in NS records
I.e. you have to add your non-IPA slave servers to NS records in
particular zone and then it should 'just work', no other configuration
(like 'also-notify') is necessary.
Please let me know if it doesn't work for you.
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA bind also-notify behavior.
On 1.9.2014 12:16, Dmitri Pal wrote:
On 09/01/2014 12:05 PM, Martin Kosek wrote:
On 09/01/2014 07:50 AM, Dmitri Pal wrote:
On 08/29/2014 09:32 PM, Matthew Sellers wrote:
Hi Everyone!
I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure FreeIPA to
send notifies to non-IPA slaves, but it seems broken on IPA ( notify packets
are never sent to to slaves ).
I have configured also-notify { nameserverip; }; in named.conf on my FreeIPA
test host in the options section and watched for notify traffic with tcpdump.
This document suggests that this is supported, and this is something I have
used in non-IPA bind servers with no issues.
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer
I wanted to ask the list before I file a bug with more details. Is anyone
using this bind feature on IPA with any success?
Thanks!
Matt
The DNS level change propagation is not supported between IPA replicas instead
it uses LDAP replication to propagate the changes.
If you want another non IPA DNS server to be a slave then you can do it. See
http://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation for more
information.
I thought that from F20, bind-dyndb-ldap was capable of native DNS operations
like AXFR/IXFR which can be used to actually deploy slave DNS servers. I wonder
if also-notify is something different. CCing Petr Spacek to advise.
AFAIU slave DNS servers not controlled by IPA yes, replicas as slaves - no.
Let me summarize:
- AXFR is supported (at least) by all versions RHEL 6.5 and newer versions
- IXFR is supported by bind-dyndb-ldap 4.0 and newer (Fedora 20+)
- DNS NOTIFY messages are always sent to servers listed in NS records
I.e. you have to add your non-IPA slave servers to NS records in particular
zone and then it should 'just work', no other configuration (like
'also-notify') is necessary.
Please let me know if it doesn't work for you.
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA bind also-notify behavior.
On 08/29/2014 09:32 PM, Matthew Sellers wrote:
Hi Everyone!
I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure
FreeIPA to send notifies to non-IPA slaves, but it seems broken on IPA
( notify packets are never sent to to slaves ).
I have configured also-notify { nameserverip; }; in named.conf on my
FreeIPA test host in the options section and watched for notify
traffic with tcpdump.
This document suggests that this is supported, and this is something I
have used in non-IPA bind servers with no issues.
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer
I wanted to ask the list before I file a bug with more details. Is
anyone using this bind feature on IPA with any success?
Thanks!
Matt
The DNS level change propagation is not supported between IPA replicas
instead it uses LDAP replication to propagate the changes.
If you want another non IPA DNS server to be a slave then you can do it.
See http://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation
for more information.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA bind also-notify behavior.
On 09/01/2014 07:50 AM, Dmitri Pal wrote:
On 08/29/2014 09:32 PM, Matthew Sellers wrote:
Hi Everyone!
I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure FreeIPA to
send notifies to non-IPA slaves, but it seems broken on IPA ( notify packets
are never sent to to slaves ).
I have configured also-notify { nameserverip; }; in named.conf on my FreeIPA
test host in the options section and watched for notify traffic with tcpdump.
This document suggests that this is supported, and this is something I have
used in non-IPA bind servers with no issues.
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer
I wanted to ask the list before I file a bug with more details. Is anyone
using this bind feature on IPA with any success?
Thanks!
Matt
The DNS level change propagation is not supported between IPA replicas instead
it uses LDAP replication to propagate the changes.
If you want another non IPA DNS server to be a slave then you can do it. See
http://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation for more
information.
I thought that from F20, bind-dyndb-ldap was capable of native DNS operations
like AXFR/IXFR which can be used to actually deploy slave DNS servers. I wonder
if also-notify is something different. CCing Petr Spacek to advise.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA bind also-notify behavior.
On 09/01/2014 12:05 PM, Martin Kosek wrote:
On 09/01/2014 07:50 AM, Dmitri Pal wrote:
On 08/29/2014 09:32 PM, Matthew Sellers wrote:
Hi Everyone!
I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure FreeIPA to
send notifies to non-IPA slaves, but it seems broken on IPA ( notify packets
are never sent to to slaves ).
I have configured also-notify { nameserverip; }; in named.conf on my FreeIPA
test host in the options section and watched for notify traffic with tcpdump.
This document suggests that this is supported, and this is something I have
used in non-IPA bind servers with no issues.
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer
I wanted to ask the list before I file a bug with more details. Is anyone
using this bind feature on IPA with any success?
Thanks!
Matt
The DNS level change propagation is not supported between IPA replicas instead
it uses LDAP replication to propagate the changes.
If you want another non IPA DNS server to be a slave then you can do it. See
http://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation for more
information.
I thought that from F20, bind-dyndb-ldap was capable of native DNS operations
like AXFR/IXFR which can be used to actually deploy slave DNS servers. I wonder
if also-notify is something different. CCing Petr Spacek to advise.
AFAIU slave DNS servers not controlled by IPA yes, replicas as slaves - no.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA bind also-notify behavior.
Hi Everyone!
I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure FreeIPA
to send notifies to non-IPA slaves, but it seems broken on IPA ( notify
packets are never sent to to slaves ).
I have configured also-notify { nameserverip; }; in named.conf on my
FreeIPA test host in the options section and watched for notify traffic
with tcpdump.
This document suggests that this is supported, and this is something I have
used in non-IPA bind servers with no issues.
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer
I wanted to ask the list before I file a bug with more details. Is anyone
using this bind feature on IPA with any success?
Thanks!
Matt
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
