[Freeipa-users] Re: A-record creation in during ipa-client-install

Sun, 17 Sep 2023 06:22:40 -0700 

I decided to make a little test during spare time to investigate the problem 
further:

>[root@host-01 ~]# ipa dnszone-show test-krb1.novalocal 
>  Zone name: test-krb1.novalocal.
>  Active zone: TRUE
>  Authoritative nameserver: freeipa-master-01.test-krb1.novalocal.
>  Administrator e-mail address: hostmaster.test-krb1.novalocal.
>  SOA serial: 1694341901
>  SOA refresh: 3600
>  SOA retry: 900
>  SOA expire: 1209600
>  SOA minimum: 3600
>  BIND update policy: grant TEST-KRB1.NOVALOCAL krb5-self * A; grant 
> TEST-KRB1.NOVALOCAL krb5-self * AAAA; grant TEST-KRB1.NOVALOCAL krb5-self * 
> SSHFP;
>  Dynamic update: TRUE
>  Allow query: any;
>  Allow transfer: none;
>[root@host-01 ~]# 
>[root@host-01 ~]# cat dns_update.txt 
>update delete host-01.test-krb1.novalocal. IN A
>show
>send
>
>update delete host-01.test-krb1.novalocal. IN AAAA
>show
>send
>
>update add host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97
>show
>send
>[root@host-01 ~]# nsupdate -g dns_update.txt 
>Outgoing update query:
>;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>;; UPDATE SECTION:
>host-01.test-krb1.novalocal. 0  ANY     A
>
>update failed: REFUSED
>Outgoing update query:
>;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>;; UPDATE SECTION:
>host-01.test-krb1.novalocal. 0  ANY     AAAA
>
>update failed: REFUSED
>Outgoing update query:
>;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>;; UPDATE SECTION:
>host-01.test-krb1.novalocal. 1200 IN    A       172.28.19.97
>
>update failed: REFUSED

And this is from the dns logs:

>[root@freeipa-master-01 bind]# tail -f /var/lib/bind/data/named.run 
>17-Sep-2023 16:03:39.500 client @0x7f73801235f0 172.28.19.96#37737/key 
>admin\@TEST-KRB1.NOVALOCAL: updating zone 'test-krb1.novalocal/IN': update 
>failed: rejected by secure update (REFUSED)

Any suggestions on why is update getting refused?
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to