Re: [Freeipa-users] DNS Dynamic Update Failing

2016-02-03 Thread Martin Basti 



On 03.02.2016 01:47, Joshua Ruybal wrote:

Hi All,

I've run into a frustrating issue regarding DNS Dynamic Updating.

In a nutshell:

If I enroll a new client when the forward policy on a dns zone is set 
to "disabled" I don't have a problem enrolling the client and updating 
the dns record.


However if the policy of the zone is set to "only" or "first", 
nsupdate fails during the client install. Install logs says nsupdate: 
Specified Zone 'example.com ' does not exist 
(NXDOMAIN).


I'm seeing this in multiple zones, and all I need to change to fix it 
is to change the forwarding policy. However it's problematic as we 
start the rollout, since we will need to rely on external dns until we 
have all servers enrolled.



Client Install Log Snippet:

  2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g 
/etc/ipa/.dns_update.txt

  2016-02-02T22:53:17Z DEBUG stdout=
  2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net 
' does not exist (NXDOMAIN)
  specified zone 'dev.example.net ' does not 
exist (NXDOMAIN)


Zone Configuration:

  [admin@ipa01 ~]$ ipa dnszone-show --all
  Zone name: dev.example.net 
  dn: idnsname=dev.example.net 
,cn=dns,dc=example,dc=com

Zone name: dev.example.net 
Authoritative nameserver: ipa01
Administrator e-mail address: hostmaster.dev.example.net 
.

SOA serial: 1454447236
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant EXAMPLE.COM  
krb5-self * A; grant EXAMPLE.COM  krb5-self * 
; grant EXAMPLE.COM  krb5-self * SSHFP;

Active zone: TRUE
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Zone forwarders: 8.8.8.8
Forward policy: only
nsrecord: ipa01, ipa02
objectclass: top, idnsrecord, idnszone

Any ideas on how to remedy this? I'd like to avoid updating records by 
hand if it can be avoided.


Thanks!
Josh



Hello,

which version of freeIPA do you use?

If version is older than 4.1, then specifying forward policy and 
forwarders cause that zone work as forwardzone thus, you cannot add host 
there, because all queries ale forwarded to specified forwarders 
(8.8.8.8) which does not know zone dev.example.com


If version is 4.1+ then nsupdate should work and it can be bug. However 
I'm curious why do you need forwarding in master zone, what is the use case?


More details about forwardzones in IPA: 
http://www.freeipa.org/page/V4/Forward_zones


IMO you need specify global forwarder to your external DNS server, 
instead of adding per zone forwarders.


Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Dynamic Update Failing

2016-02-03 Thread Joshua Ruybal 
Thanks for the reply. It makes a bit more sense now.

I'm running FreeIPA 3.0.0 on CentOS 6.7

I followed your advice and was able to use dynamic update once I removed
the zone forwarder. However I've set the global config to "forward only",
but I'm still getting local resolution when I use dig from a client server.
I'd expect to see the external records instead.

I'm not seeing much in documentation how to troubleshoot this.

Also I realize we're falling into the realm of a different subject and can
start a fresh email chain if needed.

Thanks again,

Josh

On Wed, Feb 3, 2016 at 12:45 AM Martin Basti  wrote:

>
>
> On 03.02.2016 01:47, Joshua Ruybal wrote:
>
> Hi All,
>
> I've run into a frustrating issue regarding DNS Dynamic Updating.
>
> In a nutshell:
>
> If I enroll a new client when the forward policy on a dns zone is set to
> "disabled" I don't have a problem enrolling the client and updating the dns
> record.
>
> However if the policy of the zone is set to "only" or "first", nsupdate
> fails during the client install. Install logs says nsupdate: Specified Zone
> 'example.com' does not exist (NXDOMAIN).
>
> I'm seeing this in multiple zones, and all I need to change to fix it is
> to change the forwarding policy. However it's problematic as we start the
> rollout, since we will need to rely on external dns until we have all
> servers enrolled.
>
>
> Client Install Log Snippet:
>
>   2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt
>   2016-02-02T22:53:17Z DEBUG stdout=
>   2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does
> not exist (NXDOMAIN)
>   specified zone 'dev.example.net' does not exist (NXDOMAIN)
>
> Zone Configuration:
>
>   [admin@ipa01 ~]$ ipa dnszone-show --all
>   Zone name: dev.example.net
>   dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com
> Zone name: dev.example.net
> Authoritative nameserver: ipa01
> Administrator e-mail address: hostmaster.dev.example.net.
> SOA serial: 1454447236
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
> krb5-self * ; grant EXAMPLE.COM krb5-self * SSHFP;
> Active zone: TRUE
> Dynamic update: TRUE
> Allow query: any;
> Allow transfer: none;
> Zone forwarders: 8.8.8.8
> Forward policy: only
> nsrecord: ipa01, ipa02
> objectclass: top, idnsrecord, idnszone
>
> Any ideas on how to remedy this? I'd like to avoid updating records by
> hand if it can be avoided.
>
> Thanks!
> Josh
>
>
> Hello,
>
> which version of freeIPA do you use?
>
> If version is older than 4.1, then specifying forward policy and
> forwarders cause that zone work as forwardzone thus, you cannot add host
> there, because all queries ale forwarded to specified forwarders (8.8.8.8)
> which does not know zone dev.example.com
>
> If version is 4.1+ then nsupdate should work and it can be bug. However
> I'm curious why do you need forwarding in master zone, what is the use case?
>
> More details about forwardzones in IPA:
> http://www.freeipa.org/page/V4/Forward_zones
>
> IMO you need specify global forwarder to your external DNS server, instead
> of adding per zone forwarders.
>
>
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Dynamic Update Failing

2016-02-03 Thread Petr Spacek 
On 3.2.2016 23:18, Joshua Ruybal wrote:
> Thanks for the reply. It makes a bit more sense now.
> 
> I'm running FreeIPA 3.0.0 on CentOS 6.7
> 
> I followed your advice and was able to use dynamic update once I removed
> the zone forwarder. However I've set the global config to "forward only",
> but I'm still getting local resolution when I use dig from a client server.
> I'd expect to see the external records instead.
> 
> I'm not seeing much in documentation how to troubleshoot this.
> 
> Also I realize we're falling into the realm of a different subject and can
> start a fresh email chain if needed.

No problem. Please read
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html

it might explain what can and cannot be done with zone forwarders.

Petr^2 Spacek

> 
> Thanks again,
> 
> Josh
> 
> On Wed, Feb 3, 2016 at 12:45 AM Martin Basti  wrote:
> 
>>
>>
>> On 03.02.2016 01:47, Joshua Ruybal wrote:
>>
>> Hi All,
>>
>> I've run into a frustrating issue regarding DNS Dynamic Updating.
>>
>> In a nutshell:
>>
>> If I enroll a new client when the forward policy on a dns zone is set to
>> "disabled" I don't have a problem enrolling the client and updating the dns
>> record.
>>
>> However if the policy of the zone is set to "only" or "first", nsupdate
>> fails during the client install. Install logs says nsupdate: Specified Zone
>> 'example.com' does not exist (NXDOMAIN).
>>
>> I'm seeing this in multiple zones, and all I need to change to fix it is
>> to change the forwarding policy. However it's problematic as we start the
>> rollout, since we will need to rely on external dns until we have all
>> servers enrolled.
>>
>>
>> Client Install Log Snippet:
>>
>>   2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g
>> /etc/ipa/.dns_update.txt
>>   2016-02-02T22:53:17Z DEBUG stdout=
>>   2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does
>> not exist (NXDOMAIN)
>>   specified zone 'dev.example.net' does not exist (NXDOMAIN)
>>
>> Zone Configuration:
>>
>>   [admin@ipa01 ~]$ ipa dnszone-show --all
>>   Zone name: dev.example.net
>>   dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com
>> Zone name: dev.example.net
>> Authoritative nameserver: ipa01
>> Administrator e-mail address: hostmaster.dev.example.net.
>> SOA serial: 1454447236
>> SOA refresh: 3600
>> SOA retry: 900
>> SOA expire: 1209600
>> SOA minimum: 3600
>> BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
>> krb5-self * ; grant EXAMPLE.COM krb5-self * SSHFP;
>> Active zone: TRUE
>> Dynamic update: TRUE
>> Allow query: any;
>> Allow transfer: none;
>> Zone forwarders: 8.8.8.8
>> Forward policy: only
>> nsrecord: ipa01, ipa02
>> objectclass: top, idnsrecord, idnszone
>>
>> Any ideas on how to remedy this? I'd like to avoid updating records by
>> hand if it can be avoided.
>>
>> Thanks!
>> Josh
>>
>>
>> Hello,
>>
>> which version of freeIPA do you use?
>>
>> If version is older than 4.1, then specifying forward policy and
>> forwarders cause that zone work as forwardzone thus, you cannot add host
>> there, because all queries ale forwarded to specified forwarders (8.8.8.8)
>> which does not know zone dev.example.com
>>
>> If version is 4.1+ then nsupdate should work and it can be bug. However
>> I'm curious why do you need forwarding in master zone, what is the use case?
>>
>> More details about forwardzones in IPA:
>> http://www.freeipa.org/page/V4/Forward_zones
>>
>> IMO you need specify global forwarder to your external DNS server, instead
>> of adding per zone forwarders.
>>
>>
>> Martin
>>
> 
> 
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project