Re: [Freeipa-users] dynamic dns working for forward zone but not reverse zone
On Mon, 2016-05-30 at 13:43 +0200, Petr Spacek wrote: > > Can you query the SOA record from the reverse zone, please? > > $ dig @10.75.22.247 0.10.8.in-addr.arpa. SOA Ahhh. That's the problem. The subnet is 10.8.0.0/24 so the query should be for 0.8.10.in-addr.arpa. Sometimes it just takes a fresh set of eyes to stop seeing what we want to see and see what's really there. Thanks for being those eyes for me. Cheers, b. signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] dynamic dns working for forward zone but not reverse zone
On 27.5.2016 15:27, Brian J. Murrell wrote: > I have a FreeIPA 4.2.0 on CentOS 7.2. I have dynamic DNS updates > working for a forward zone but they are failing (NOTAUTH) for a reverse > zone. Here are configuration of the two zones: > > dn: idnsname=example.com.,cn=dns,dc=example,dc=com > Zone name: example.com. > Active zone: TRUE > Authoritative nameserver: server.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 1464354354 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM > krb5-self * ; grant EXAMPLE.COM krb5-self * SSHFP; grant > linux_home_nsupdate wildcard * ANY; > Dynamic update: TRUE > Allow query: any; > Allow transfer: 10.75.22.1; > mxrecord: 200 linux > nsrecord: server.example.com. > objectclass: idnszone, top, idnsrecord > txtrecord: "v=spf1 a:server.klug.on.ca" > > > dn: idnsname=0.8.10.in-addr.arpa.,cn=dns,dc=example,dc=com > Zone name: 0.8.10.in-addr.arpa. > Active zone: TRUE > Authoritative nameserver: server.example.com. > Administrator e-mail address: hostmaster > SOA serial: 1464354356 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.8.10.in-addr.arpa. > PTR; grant linux_home_nsupdate wildcard * ANY; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > nsrecord: server.example.com. > objectclass: idnszone, top, idnsrecord > > Here are example updates to the two zones: > > # nsupdate -y linux_home_nsupdate: -d /tmp/fwdupdate > Creating key... > namefromtext > keycreate > Sending update to 10.75.22.247#53 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154 > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 > ;; ZONE SECTION: > ;example.com. IN SOA > > ;; UPDATE SECTION: > chost.example.com. 0 ANY A > chost.example.com. 60 IN A 10.8.0.2 > > ;; TSIG PSEUDOSECTION: > linux_home_nsupdate. 0 ANY TSIGhmac-md5.sig-alg.reg.int. > 1464355147 300 16 oRoIWfkmmmCKQWj9NrrRDw== 53154 NOERROR 0 > > > Reply from update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154 > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > ;; ZONE SECTION: > ;example.com. IN SOA > > ;; TSIG PSEUDOSECTION: > linux_home_nsupdate. 0 ANY TSIGhmac-md5.sig-alg.reg.int. > 1464355225 300 16 3IVCZr+MjyD75sHr53LEHw== 53154 NOERROR 0 > > > # nsupdate -y linux_home_nsupdate: -d /tmp/revupdate > Creating key... > namefromtext > keycreate > Sending update to 10.75.22.247#53 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 26720 > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 > ;; ZONE SECTION: > ;0.10.8.in-addr.arpa. IN SOA > > ;; UPDATE SECTION: > 2.0.10.8.in-addr.arpa.0 ANY PTR > 2.0.10.8.in-addr.arpa.60 IN PTR chost.example.com. > > ;; TSIG PSEUDOSECTION: > linux_home_nsupdate. 0 ANY TSIGhmac-md5.sig-alg.reg.int. > 1464355166 300 16 ooWRdNhQ1170LkSjIiCqSA== 26720 NOERROR 0 > > > Reply from update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 26720 > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > ;; ZONE SECTION: > ;0.10.8.in-addr.arpa. IN SOA > > ;; TSIG PSEUDOSECTION: > linux_home_nsupdate. 0 ANY TSIGhmac-md5.sig-alg.reg.int. > 1464355244 300 16 N5Dg0rMokW9sNGGO9BwGNQ== 26720 NOERROR 0 > > When the first update is done the following is logged by named-pkcs11: > > client 10.75.22.253#51414/key linux_home_nsupdate: updating zone > 'example.com/IN': deleting rrset at 'chost.example.com' A > client 10.75.22.253#51414/key linux_home_nsupdate: updating zone > 'example.com/IN': adding an RR at 'chost.example.com' A > > Nothing is logged for the second update attempt. > > Any ideas why one is working and the other is not? This is really weird. Can you query the SOA record from the reverse zone, please? $ dig @10.75.22.247 0.10.8.in-addr.arpa. SOA -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] dynamic dns working for forward zone but not reverse zone
I have a FreeIPA 4.2.0 on CentOS 7.2. I have dynamic DNS updates working for a forward zone but they are failing (NOTAUTH) for a reverse zone. Here are configuration of the two zones: dn: idnsname=example.com.,cn=dns,dc=example,dc=com Zone name: example.com. Active zone: TRUE Authoritative nameserver: server.example.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 1464354354 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * ; grant EXAMPLE.COM krb5-self * SSHFP; grant linux_home_nsupdate wildcard * ANY; Dynamic update: TRUE Allow query: any; Allow transfer: 10.75.22.1; mxrecord: 200 linux nsrecord: server.example.com. objectclass: idnszone, top, idnsrecord txtrecord: "v=spf1 a:server.klug.on.ca" dn: idnsname=0.8.10.in-addr.arpa.,cn=dns,dc=example,dc=com Zone name: 0.8.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: server.example.com. Administrator e-mail address: hostmaster SOA serial: 1464354356 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.8.10.in-addr.arpa. PTR; grant linux_home_nsupdate wildcard * ANY; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: server.example.com. objectclass: idnszone, top, idnsrecord Here are example updates to the two zones: # nsupdate -y linux_home_nsupdate: -d /tmp/fwdupdate Creating key... namefromtext keycreate Sending update to 10.75.22.247#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; UPDATE SECTION: chost.example.com. 0ANY A chost.example.com. 60 IN A 10.8.0.2 ;; TSIG PSEUDOSECTION: linux_home_nsupdate.0 ANY TSIGhmac-md5.sig-alg.reg.int. 1464355147 300 16 oRoIWfkmmmCKQWj9NrrRDw== 53154 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; TSIG PSEUDOSECTION: linux_home_nsupdate.0 ANY TSIGhmac-md5.sig-alg.reg.int. 1464355225 300 16 3IVCZr+MjyD75sHr53LEHw== 53154 NOERROR 0 # nsupdate -y linux_home_nsupdate: -d /tmp/revupdate Creating key... namefromtext keycreate Sending update to 10.75.22.247#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 26720 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;0.10.8.in-addr.arpa. IN SOA ;; UPDATE SECTION: 2.0.10.8.in-addr.arpa. 0 ANY PTR 2.0.10.8.in-addr.arpa. 60 IN PTR chost.example.com. ;; TSIG PSEUDOSECTION: linux_home_nsupdate.0 ANY TSIGhmac-md5.sig-alg.reg.int. 1464355166 300 16 ooWRdNhQ1170LkSjIiCqSA== 26720 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 26720 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;0.10.8.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: linux_home_nsupdate.0 ANY TSIGhmac-md5.sig-alg.reg.int. 1464355244 300 16 N5Dg0rMokW9sNGGO9BwGNQ== 26720 NOERROR 0 When the first update is done the following is logged by named-pkcs11: client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': deleting rrset at 'chost.example.com' A client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': adding an RR at 'chost.example.com' A Nothing is logged for the second update attempt. Any ideas why one is working and the other is not? Cheers, b. signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project