Re: [Freeipa-users] ttl settings for host records
On 11/29/2012 01:16 PM, James Hogarth wrote: I'm not entirely sure where that 86400 came from. When we do a dynamic update the TTL is hardcoded to 1200. There is a ticket to make this configurable, https://fedorahosted.org/__freeipa/ticket/3031 https://fedorahosted.org/freeipa/ticket/3031 The patch I submitted on the SSSD side has actually been committed in 1.10 ... The report and patch I had there was about getting ipa-client-install to configure sssd.conf appropriately for sssd ... rather than changing the TTL after the system was first registered... Still trying to find time to work on the TTL this side within IPA GUI rather than just CLI (have it exposed in IPA... working on modifying it at the moment but still have one TTL per primary key rather than split it out entirely). I'm not sure if I understood your intention correctly, but current IPA LDAP schema can't handle more than single TTL value per DNS name. I.e. all records under single name (e.g. machine.example.com) has to have same TTL value. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ttl settings for host records
Natxo Asenjo wrote: hi, this is puzzling me. I have an AD environment (which is leading) with integrated dns servers. In the AD dns I have a zone domain.tld. I have created a delegation unix.domain.tld in it with a glue record pointing to a new ipa server kdc01.unix.domain.tld. This works. I can join hosts to the IPA domain and reach their services from the AD domain. this is the what a host querying the AD dns servers gets when getting info about the unix.domain.tld zone: $ dig unix.domain.tld ; DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 unix.domain.tld ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34185 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;unix.domain.tld. IN A ;; AUTHORITY SECTION: unix.domain.tld.300 IN SOA kdc01.unix.domain.tld. hostmaster.unix.domain.tld. 2012110713 3600 900 1209600 3600 And the TTL is 300. When I re-run the query, I see that it is less than that. This is normal, I have the domain.tld in AD dns with ttl 5 minutes. So far, so good. Now I joing a host to the IPA domain and query the host: $ dig solr01.unix.domain.tld ; DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 solr01.unix.domain.tld ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7726 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;solr01.unix.domain.tld.IN A ;; ANSWER SECTION: solr01.unix.domain.tld. 84185 IN A 172.20.6.42 The ttl has gone up to one day. this are the zone settings in IPA: $ ipa dnszone-show Zone name: unix.domain.tld Zone name: unix.domain.tld Authoritative nameserver: kdc01.unix.domain.tld. Administrator e-mail address: hostmaster.unix.domain.tld. SOA serial: 2012110713 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; In the web-ui I have filled in the SOA time to live field: 300 for this zone, but it is not being picked up. Where can I set this? If there are changes on the IPA server, I do not want that the old info gets cached for a day on the AD dns servers. I'm not entirely sure where that 86400 came from. When we do a dynamic update the TTL is hardcoded to 1200. There is a ticket to make this configurable, https://fedorahosted.org/freeipa/ticket/3031 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ttl settings for host records
Hello, On 11/27/2012 04:52 PM, Rob Crittenden wrote: Natxo Asenjo wrote: hi, this is puzzling me. I have an AD environment (which is leading) with integrated dns servers. In the AD dns I have a zone domain.tld. I have created a delegation unix.domain.tld in it with a glue record pointing to a new ipa server kdc01.unix.domain.tld. This works. I can join hosts to the IPA domain and reach their services from the AD domain. this is the what a host querying the AD dns servers gets when getting info about the unix.domain.tld zone: $ dig unix.domain.tld ; DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 unix.domain.tld ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34185 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;unix.domain.tld.INA ;; AUTHORITY SECTION: unix.domain.tld.300INSOAkdc01.unix.domain.tld. hostmaster.unix.domain.tld. 2012110713 3600 900 1209600 3600 And the TTL is 300. When I re-run the query, I see that it is less than that. This is normal, I have the domain.tld in AD dns with ttl 5 minutes. So far, so good. Do you set TTL = 300 explicitly for unix.domain.tld. (i.e. SOA record), right? Now I joing a host to the IPA domain and query the host: $ dig solr01.unix.domain.tld ; DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 solr01.unix.domain.tld ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7726 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;solr01.unix.domain.tld.INA ;; ANSWER SECTION: solr01.unix.domain.tld. 84185INA172.20.6.42 The ttl has gone up to one day. 86400 seconds is default value for entries without explicit TTL definition. TTL setting is effective per-name, so setting TTL for zone's root (SOA record) will affect only SOA itself. Current version have default TTL 86400 seconds hard-coded. It is known limitation and it is planned to address this in IPA 3.2: https://fedorahosted.org/bind-dyndb-ldap/ticket/70 Before this ticket is solved you have to explicitly set TTL attribute for each existing DNS name. Sorry! this are the zone settings in IPA: $ ipa dnszone-show Zone name: unix.domain.tld Zone name: unix.domain.tld Authoritative nameserver: kdc01.unix.domain.tld. Administrator e-mail address: hostmaster.unix.domain.tld. SOA serial: 2012110713 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 For completeness: This value affects only negative record caching. See http://tools.ietf.org/html/rfc2308 section 2.2.1 - Special Handling of No Data, part 4 - SOA Minimum Field. Active zone: TRUE Allow query: any; Allow transfer: none; In the web-ui I have filled in the SOA time to live field: 300 for this zone, but it is not being picked up. The plan is to have separate SOA TTL and per-zone default-TTL setting, but now there is no attribute for default TTL. Where can I set this? If there are changes on the IPA server, I do not want that the old info gets cached for a day on the AD dns servers. I'm not entirely sure where that 86400 came from. When we do a dynamic update the TTL is hardcoded to 1200. There is a ticket to make this configurable, https://fedorahosted.org/freeipa/ticket/3031 -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users