Re: [Freeipa-users] DNS Replication Validation

2015-09-25 Thread Petr Spacek 
On 24.9.2015 17:29, Rich Megginson wrote:
> On 09/24/2015 09:24 AM, Aric Wilisch wrote:
>> Is there a way of exporting the DNS information out of Freeipa? Then I could
>> just do a diff on the export from master and replica.
> 
> That's what Martin was suggesting you use dnspython to do.

You can use ldns utils to do that, too.

First of all, allow zone transfers from both servers and save them to a file:

$ dig @server_1 zone.example AXFR > srv1.db
$ dig @server_2 zone.example AXFR > srv2.db
$ ldns-compare-zones -a -s srv1.db srv2.db

In unsigned zones only SOA serial and SOA mname should be different. If the
zone is DNSSEC-signed then there will be a lot of different RRSIG records and
so on, you might experiment with ldns-read-zone -0 or -s to clear the 
differences.

Also, do not forget to allow zone transfers for IP address of the client
running dig:
$ ipa dnszone-mod --allow-zone-transfer=';'

I hope this helps.

Petr^2 Spacek

>>> On Sep 24, 2015, at 11:13 AM, Martin Basti  wrote:
>>>
>>>
>>>
>>> On 09/24/2015 05:02 PM, Rich Megginson wrote:
 On 09/24/2015 08:53 AM, Martin Basti wrote:
>
> On 09/24/2015 04:43 PM, Rich Megginson wrote:
>> On 09/24/2015 08:32 AM, Aric Wilisch wrote:
>>> I need a way to validate that both the primary and the redundant
>>> FreeIPA server’s DNS zones are in sync. What’s the simplest way for me
>>> to do this?
>> Do a DNS query to confirm that the SOA record for the primary is
>> identical to the SOA for the secondary.
> SOA serials are not replicated.
 So with IPA you can have a master DNS and a replica DNS that have
 different SOA?
>>> Just SOA serial, other records are replicated.
>>>
 Then the records are replicated using the standard IPA dirsrv replication
 protocol?

 In that case, doesn't ipa-replica-manage have a way to ask if the replicas
 are in sync?
>>> I don't think that ipa-replica-manage is capable to detect if replicas are
>>> in sync.
>>> AFAIK this feature is planned for future IPA versions.
>>> Inspecting DS error log may help to find replication issues if any.
>>>
>>> Martin
>>>
> You can get all  records via AXFR, and compare them per zone.
>
> Maybe you can use python-dns to do comparation
>
> http://www.dnspython.org/examples.html
 That seems pretty heavyweight if there are a lot records.

> HTH
> Martin
>>> My boss won’t let me continue with an upgrade until he’s sure the
>>> primary and redundant servers have the same DNS records and are in
>>> sync. I’ve tried finding documentation on this but keep coming up blank.
>>>
>>> Thanks in advance.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Replication Validation

2015-09-24 Thread Rich Megginson 

On 09/24/2015 08:32 AM, Aric Wilisch wrote:

I need a way to validate that both the primary and the redundant FreeIPA 
server’s DNS zones are in sync. What’s the simplest way for me to do this?


Do a DNS query to confirm that the SOA record for the primary is 
identical to the SOA for the secondary.




My boss won’t let me continue with an upgrade until he’s sure the primary and 
redundant servers have the same DNS records and are in sync. I’ve tried finding 
documentation on this but keep coming up blank.

Thanks in advance.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Replication Validation

2015-09-24 Thread Martin Basti 



On 09/24/2015 04:43 PM, Rich Megginson wrote:

On 09/24/2015 08:32 AM, Aric Wilisch wrote:
I need a way to validate that both the primary and the redundant 
FreeIPA server’s DNS zones are in sync. What’s the simplest way for 
me to do this?


Do a DNS query to confirm that the SOA record for the primary is 
identical to the SOA for the secondary.


SOA serials are not replicated.

You can get all  records via AXFR, and compare them per zone.

Maybe you can use python-dns to do comparation

http://www.dnspython.org/examples.html

HTH
Martin




My boss won’t let me continue with an upgrade until he’s sure the 
primary and redundant servers have the same DNS records and are in 
sync. I’ve tried finding documentation on this but keep coming up blank.


Thanks in advance.





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Replication Validation

2015-09-24 Thread Rich Megginson 

On 09/24/2015 08:53 AM, Martin Basti wrote:



On 09/24/2015 04:43 PM, Rich Megginson wrote:

On 09/24/2015 08:32 AM, Aric Wilisch wrote:
I need a way to validate that both the primary and the redundant 
FreeIPA server’s DNS zones are in sync. What’s the simplest way for 
me to do this?


Do a DNS query to confirm that the SOA record for the primary is 
identical to the SOA for the secondary.


SOA serials are not replicated.


So with IPA you can have a master DNS and a replica DNS that have 
different SOA?


Then the records are replicated using the standard IPA dirsrv 
replication protocol?


In that case, doesn't ipa-replica-manage have a way to ask if the 
replicas are in sync?




You can get all  records via AXFR, and compare them per zone.

Maybe you can use python-dns to do comparation

http://www.dnspython.org/examples.html


That seems pretty heavyweight if there are a lot records.



HTH
Martin




My boss won’t let me continue with an upgrade until he’s sure the 
primary and redundant servers have the same DNS records and are in 
sync. I’ve tried finding documentation on this but keep coming up 
blank.


Thanks in advance.







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Replication Validation

2015-09-24 Thread Rich Megginson 

On 09/24/2015 09:24 AM, Aric Wilisch wrote:

Is there a way of exporting the DNS information out of Freeipa? Then I could 
just do a diff on the export from master and replica.


That's what Martin was suggesting you use dnspython to do.




On Sep 24, 2015, at 11:13 AM, Martin Basti  wrote:



On 09/24/2015 05:02 PM, Rich Megginson wrote:

On 09/24/2015 08:53 AM, Martin Basti wrote:


On 09/24/2015 04:43 PM, Rich Megginson wrote:

On 09/24/2015 08:32 AM, Aric Wilisch wrote:

I need a way to validate that both the primary and the redundant FreeIPA 
server’s DNS zones are in sync. What’s the simplest way for me to do this?

Do a DNS query to confirm that the SOA record for the primary is identical to 
the SOA for the secondary.

SOA serials are not replicated.

So with IPA you can have a master DNS and a replica DNS that have different SOA?

Just SOA serial, other records are replicated.


Then the records are replicated using the standard IPA dirsrv replication 
protocol?

In that case, doesn't ipa-replica-manage have a way to ask if the replicas are 
in sync?

I don't think that ipa-replica-manage is capable to detect if replicas are in 
sync.
AFAIK this feature is planned for future IPA versions.
Inspecting DS error log may help to find replication issues if any.

Martin


You can get all  records via AXFR, and compare them per zone.

Maybe you can use python-dns to do comparation

http://www.dnspython.org/examples.html

That seems pretty heavyweight if there are a lot records.


HTH
Martin

My boss won’t let me continue with an upgrade until he’s sure the primary and 
redundant servers have the same DNS records and are in sync. I’ve tried finding 
documentation on this but keep coming up blank.

Thanks in advance.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Replication Validation

2015-09-24 Thread Martin Basti 



On 09/24/2015 05:02 PM, Rich Megginson wrote:

On 09/24/2015 08:53 AM, Martin Basti wrote:



On 09/24/2015 04:43 PM, Rich Megginson wrote:

On 09/24/2015 08:32 AM, Aric Wilisch wrote:
I need a way to validate that both the primary and the redundant 
FreeIPA server’s DNS zones are in sync. What’s the simplest way for 
me to do this?


Do a DNS query to confirm that the SOA record for the primary is 
identical to the SOA for the secondary.


SOA serials are not replicated.


So with IPA you can have a master DNS and a replica DNS that have 
different SOA?

Just SOA serial, other records are replicated.



Then the records are replicated using the standard IPA dirsrv 
replication protocol?


In that case, doesn't ipa-replica-manage have a way to ask if the 
replicas are in sync?
I don't think that ipa-replica-manage is capable to detect if replicas 
are in sync.

AFAIK this feature is planned for future IPA versions.
Inspecting DS error log may help to find replication issues if any.

Martin





You can get all  records via AXFR, and compare them per zone.

Maybe you can use python-dns to do comparation

http://www.dnspython.org/examples.html


That seems pretty heavyweight if there are a lot records.



HTH
Martin




My boss won’t let me continue with an upgrade until he’s sure the 
primary and redundant servers have the same DNS records and are in 
sync. I’ve tried finding documentation on this but keep coming up 
blank.


Thanks in advance.









--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Replication Validation

2015-09-24 Thread Aric Wilisch 
Is there a way of exporting the DNS information out of Freeipa? Then I could 
just do a diff on the export from master and replica. 

> On Sep 24, 2015, at 11:13 AM, Martin Basti  wrote:
> 
> 
> 
> On 09/24/2015 05:02 PM, Rich Megginson wrote:
>> On 09/24/2015 08:53 AM, Martin Basti wrote:
>>> 
>>> 
>>> On 09/24/2015 04:43 PM, Rich Megginson wrote:
 On 09/24/2015 08:32 AM, Aric Wilisch wrote:
> I need a way to validate that both the primary and the redundant FreeIPA 
> server’s DNS zones are in sync. What’s the simplest way for me to do this?
 
 Do a DNS query to confirm that the SOA record for the primary is identical 
 to the SOA for the secondary.
>>> 
>>> SOA serials are not replicated.
>> 
>> So with IPA you can have a master DNS and a replica DNS that have different 
>> SOA?
> Just SOA serial, other records are replicated.
> 
>> 
>> Then the records are replicated using the standard IPA dirsrv replication 
>> protocol?
>> 
>> In that case, doesn't ipa-replica-manage have a way to ask if the replicas 
>> are in sync?
> I don't think that ipa-replica-manage is capable to detect if replicas are in 
> sync.
> AFAIK this feature is planned for future IPA versions.
> Inspecting DS error log may help to find replication issues if any.
> 
> Martin
> 
>> 
>>> 
>>> You can get all  records via AXFR, and compare them per zone.
>>> 
>>> Maybe you can use python-dns to do comparation
>>> 
>>> http://www.dnspython.org/examples.html
>> 
>> That seems pretty heavyweight if there are a lot records.
>> 
>>> 
>>> HTH
>>> Martin
 
> 
> My boss won’t let me continue with an upgrade until he’s sure the primary 
> and redundant servers have the same DNS records and are in sync. I’ve 
> tried finding documentation on this but keep coming up blank.
> 
> Thanks in advance.
> 
 
>>> 
>> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project