Re: [Freeipa-users] Errors while adding DNS Zone
@Martin Basti that was it. Thanks so much for the assistance. @Petr Spacek also thanks for the reply also. I failed to provide some rather important information that you mentioned. Thanks all for your the help. On Tue, Mar 10, 2015 at 1:35 AM, Petr Spacek pspa...@redhat.com wrote: Hello! First of all, what version of FreeIPA do you use? FreeIPA 4.1.what? On 9.3.2015 19:18, Matt Wells wrote: I'm getting some errors on a DNS Zone that I'm attempting to create. My systems reside within a sub-domain of example.com. (xyz.example.com) Of course example.com is the internet address, but I want to host the internal example.com so we're able to point to internal intranets and so on. So to the good stuff Regardless of what flags I give, what NS records I change, the NS never actually set. I know it's something silly that I'm overlooking but would really love other eyes. I go to create the zone on server2. [root@server2 html]# ipa dnszone-add example.com Zone name: example.com. Active zone: TRUE Authoritative nameserver: server2.xyz.example.com. One important note: Field 'Authoritative nameserver' shows only the SOA MNAME value and is not related at all to NS records in the zone. Use $ ipa dnsrecord-show example.com. @ to see NS records in zone apex. Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server2.xyz.example.com' has no address records (A or ) Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server1.xyz.example.com' has no address records (A or ) Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: not loaded due to errors. Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: update_zone (syncrepl) failed for 'idnsname=example.com.,cn=dns,dc=xyz,dc=example,dc=com'. Zones can be outdated, run `rndc reload`: bad zone At this point we need to know more information: a) You have to add glue records for names listed in example.com NS records. It is not obvious if you did that or not: $ ipa dnsrecord-add example.com server1.xyz --a-rec=192.0.2.1 $ ipa dnsrecord-add example.com server2.xyz --a-rec=192.0.2.2 b) If xyz.example.com is a sub-zone you have to add NS records/delegation for it (even if it is hosted on the same server!): $ ipa dnsrecord-add example.com xyz --ns-rec=server1.xyz.example.com. $ ipa dnsrecord-add example.com xyz --ns-rec=server2.xyz.example.com. Do not forget to change names in NS records if the sub-zone is hosted on different servers. I hope this helps. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Matt Wells Chief Systems Architect RHCVA, RHCA #110-000-353 (702) 808-0424 matt.we...@mosaic451.com Las Vegas | Phoenix | Portland Mosaic451.com CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or may otherwise be privileged. If you are not intended recipient, you are hereby notified that you have received this transmittal in error and that any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this communication in error, please notify this office, and immediately delete this message and all its attachments, if any. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Errors while adding DNS Zone
Hello! First of all, what version of FreeIPA do you use? FreeIPA 4.1.what? On 9.3.2015 19:18, Matt Wells wrote: I'm getting some errors on a DNS Zone that I'm attempting to create. My systems reside within a sub-domain of example.com. (xyz.example.com) Of course example.com is the internet address, but I want to host the internal example.com so we're able to point to internal intranets and so on. So to the good stuff Regardless of what flags I give, what NS records I change, the NS never actually set. I know it's something silly that I'm overlooking but would really love other eyes. I go to create the zone on server2. [root@server2 html]# ipa dnszone-add example.com Zone name: example.com. Active zone: TRUE Authoritative nameserver: server2.xyz.example.com. One important note: Field 'Authoritative nameserver' shows only the SOA MNAME value and is not related at all to NS records in the zone. Use $ ipa dnsrecord-show example.com. @ to see NS records in zone apex. Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server2.xyz.example.com' has no address records (A or ) Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server1.xyz.example.com' has no address records (A or ) Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: not loaded due to errors. Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: update_zone (syncrepl) failed for 'idnsname=example.com.,cn=dns,dc=xyz,dc=example,dc=com'. Zones can be outdated, run `rndc reload`: bad zone At this point we need to know more information: a) You have to add glue records for names listed in example.com NS records. It is not obvious if you did that or not: $ ipa dnsrecord-add example.com server1.xyz --a-rec=192.0.2.1 $ ipa dnsrecord-add example.com server2.xyz --a-rec=192.0.2.2 b) If xyz.example.com is a sub-zone you have to add NS records/delegation for it (even if it is hosted on the same server!): $ ipa dnsrecord-add example.com xyz --ns-rec=server1.xyz.example.com. $ ipa dnsrecord-add example.com xyz --ns-rec=server2.xyz.example.com. Do not forget to change names in NS records if the sub-zone is hosted on different servers. I hope this helps. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Errors while adding DNS Zone
On 09/03/15 19:18, Matt Wells wrote: I'm getting some errors on a DNS Zone that I'm attempting to create. My systems reside within a sub-domain of example.com. (xyz.example.com) Of course example.com is the internet address, but I want to host the internal example.com so we're able to point to internal intranets and so on. So to the good stuff Regardless of what flags I give, what NS records I change, the NS never actually set. I know it's something silly that I'm overlooking but would really love other eyes. I go to create the zone on server2. [root@server2 html]# ipa dnszone-add example.com Zone name: example.com. Active zone: TRUE Authoritative nameserver: server2.xyz.example.com. Administrator e-mail address: hostmaster SOA serial: 1425924224 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant xyz.example.com krb5-self * A; grant xyz.example.com krb5-self * ; grant xyz.example.com krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@server2 html]# rndc reload server reload successful Logs on server1 show this Mar 09 18:03:48 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server2.xyz.example.com' has no address records (A or ) Mar 09 18:03:48 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server1.xyz.example.com' has no address records (A or ) Mar 09 18:03:48 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: not loaded due to errors. Mar 09 18:03:48 server1.xyz.example.com named-pkcs11[23279]: update_zone (syncrepl) failed for 'idnsname=example.com.,cn=dns,dc=xyz,dc=example,dc=com'. Zones can be outdated, run `rndc reload`: bad zone Mar 09 18:03:48 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server2.xyz.example.com' has no address records (A or ) Mar 09 18:03:48 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server1.xyz.example.com' has no address records (A or ) Mar 09 18:03:48 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: not loaded due to errors. Mar 09 18:03:48 server1.xyz.example.com named-pkcs11[23279]: update_zone (syncrepl) failed for 'idnsname=example.com.,cn=dns,dc=xyz,dc=example,dc=com'. Zones can be outdated, run `rndc reload`: bad zone Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server2.xyz.example.com' has no address records (A or ) Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server1.xyz.example.com' has no address records (A or ) Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: not loaded due to errors. Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: unable to reload invalid zone; reload triggered by change in 'idnsname=_kerberos,idnsname=example.com.,cn=dns,dc=xyz,dc=example,dc=com':bad zone Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server2.xyz.example.com' has no address records (A or ) Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: NS 'server1.xyz.example.com' has no address records (A or ) Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: zone example.com/IN: not loaded due to errors. Mar 09 18:03:51 server1.xyz.example.com named-pkcs11[23279]: update_zone (syncrepl) failed for 'idnsname=example.com.,cn=dns,dc=xyz,dc=example,dc=com'. Zones can be outdated, run `rndc reload`: bad zone Hello, do you have proper NS delegation in example.com. zone? ipa dnsrecord-add example.com. xyz.example.com. --ns-rec=server2.xyz.example.com Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
