Thanks for the reply. It makes a bit more sense now. I'm running FreeIPA 3.0.0 on CentOS 6.7
I followed your advice and was able to use dynamic update once I removed the zone forwarder. However I've set the global config to "forward only", but I'm still getting local resolution when I use dig from a client server. I'd expect to see the external records instead. I'm not seeing much in documentation how to troubleshoot this. Also I realize we're falling into the realm of a different subject and can start a fresh email chain if needed. Thanks again, Josh On Wed, Feb 3, 2016 at 12:45 AM Martin Basti <[email protected]> wrote: > > > On 03.02.2016 01:47, Joshua Ruybal wrote: > > Hi All, > > I've run into a frustrating issue regarding DNS Dynamic Updating. > > In a nutshell: > > If I enroll a new client when the forward policy on a dns zone is set to > "disabled" I don't have a problem enrolling the client and updating the dns > record. > > However if the policy of the zone is set to "only" or "first", nsupdate > fails during the client install. Install logs says nsupdate: Specified Zone > 'example.com' does not exist (NXDOMAIN). > > I'm seeing this in multiple zones, and all I need to change to fix it is > to change the forwarding policy. However it's problematic as we start the > rollout, since we will need to rely on external dns until we have all > servers enrolled. > > > Client Install Log Snippet: > > 2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt > 2016-02-02T22:53:17Z DEBUG stdout= > 2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does > not exist (NXDOMAIN) > specified zone 'dev.example.net' does not exist (NXDOMAIN) > > Zone Configuration: > > [admin@ipa01 ~]$ ipa dnszone-show --all > Zone name: dev.example.net > dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com > Zone name: dev.example.net > Authoritative nameserver: ipa01 > Administrator e-mail address: hostmaster.dev.example.net. > SOA serial: 1454447236 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM > krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; > Active zone: TRUE > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > Zone forwarders: 8.8.8.8 > Forward policy: only > nsrecord: ipa01, ipa02 > objectclass: top, idnsrecord, idnszone > > Any ideas on how to remedy this? I'd like to avoid updating records by > hand if it can be avoided. > > Thanks! > Josh > > > Hello, > > which version of freeIPA do you use? > > If version is older than 4.1, then specifying forward policy and > forwarders cause that zone work as forwardzone thus, you cannot add host > there, because all queries ale forwarded to specified forwarders (8.8.8.8) > which does not know zone dev.example.com > > If version is 4.1+ then nsupdate should work and it can be bug. However > I'm curious why do you need forwarding in master zone, what is the use case? > > More details about forwardzones in IPA: > http://www.freeipa.org/page/V4/Forward_zones > > IMO you need specify global forwarder to your external DNS server, instead > of adding per zone forwarders. > > > Martin >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
