Hi Rob,
There are 5 more reverse zones which can not be deleted as well. IPA said "Not
allowed on non-leaf entry". Though that is the same complaint, however,
there are no "glue, extensibleobject" objectclasses associated with those 5
zones. Please see attached for details. I like to have those deleted as
well.
Thanks.
Kathy.
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa. --all
dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com.,
hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa.
PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa. --all
dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com.,
hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 14.0.10.in-addr.arpa.
PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa. --all
dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com.,
hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 13.0.10.in-addr.arpa.
PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa. --all
dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com.,
hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 12.0.10.in-addr.arpa.
PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa. --all
dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com.,
hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster.example.com.
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 0.0.10.in-addr.arpa.
PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]#
On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <[email protected]> wrote:
> Yes, I want to delete the zone. I tried a few ways, none worked so far.
>
> On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden <[email protected]>
> wrote:
>
>> Kathy Zhu via FreeIPA-users wrote:
>> > Hi List,
>> >
>> > When I run ipa-healthcheck on all of our ipa servers, they all reported
>> > following:
>> >
>> > [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human
>> >
>> > ERROR:
>> >
>> ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:
>> > Replication conflict
>> >
>> > [root@ipa0 ~]#
>> >
>> > [root@ipa0 ~]# ipa-healthcheck --failures-only
>> >
>> > [
>> >
>> > {
>> >
>> > "source": "ipahealthcheck.ds.replication",
>> >
>> > "kw": {
>> >
>> > "msg": "Replication conflict",
>> >
>> > "glue": true,
>> >
>> > "conflict": "deletedEntryHasChildren",
>> >
>> > "key": "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com"
>> >
>> > },
>> >
>> > "uuid": "3027f742-4b7b-4a20-9650-a5a030699480",
>> >
>> > "duration": "0.002318",
>> >
>> > "when": "20210819234114Z",
>> >
>> > "check": "ReplicationConflictCheck",
>> >
>> > "result": "ERROR"
>> >
>> > }
>> >
>> > ]
>> >
>> > [root@ipa0 ~]#
>> >
>> > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa.
>> > --sizelimit=99999 --all --structured
>> >
>> > dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>> >
>> > Record name: @
>> >
>> > Records:
>> >
>> > Record type: NS
>> >
>> > Record data: ipa1.example.com <http://ipa1.example.com>.
>> >
>> > NS Hostname: ipa1.example.com <http://ipa1.example.com>.
>> >
>> > idnsallowdynupdate: TRUE
>> >
>> > idnsallowquery: any;
>> >
>> > idnsallowtransfer: none;
>> >
>> > idnssoaexpire: 1209600
>> >
>> > idnssoaminimum: 3600
>> >
>> > idnssoamname: ipa0.example.com <http://ipa0.example.com>.
>> >
>> > idnssoarefresh: 3600
>> >
>> > idnssoaretry: 900
>> >
>> > idnssoarname: hostmaster
>> >
>> > idnssoaserial: 1629023582
>> >
>> > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
>> > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
>> >
>> > idnszoneactive: FALSE
>> >
>> > objectclass: top, idnsrecord, idnszone, glue, extensibleobject
>> >
>> > ----------------------------
>> >
>> > Number of entries returned 1
>> >
>> > ----------------------------
>> >
>> > [root@ipa0 ~]#
>> >
>> >
>> > Notice above, glue is true! After googling, I found following:
>> >
>> >
>> >
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/ipa-replica-manage#Solving_Orphan_Entry_Conflicts
>>
>> >
>> >
>> >
>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts#Solving_Common_Replication_Conflicts-Solving_Orphan_Entry_Conflicts
>> >
>> >
>> > The explanation made sense to me. However, I do not know what happened
>> > to get us into this situation.
>> >
>> >
>> > A good zone displays objectclass like this:
>> >
>> >
>> > objectclass: top, idnsrecord, idnszone
>> >
>> >
>> >
>> > Note, no "glue, extensibleobject" there.
>> >
>> >
>> > This zone can not be deleted since "Not allowed on non-leaf entry". Any
>> > ideas to delete this zone?
>>
>> Do you want to delete the zone?
>>
>> rob
>>
>>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
