On 3.2.2016 23:18, Joshua Ruybal wrote: > Thanks for the reply. It makes a bit more sense now. > > I'm running FreeIPA 3.0.0 on CentOS 6.7 > > I followed your advice and was able to use dynamic update once I removed > the zone forwarder. However I've set the global config to "forward only", > but I'm still getting local resolution when I use dig from a client server. > I'd expect to see the external records instead. > > I'm not seeing much in documentation how to troubleshoot this. > > Also I realize we're falling into the realm of a different subject and can > start a fresh email chain if needed.
No problem. Please read https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html it might explain what can and cannot be done with zone forwarders. Petr^2 Spacek > > Thanks again, > > Josh > > On Wed, Feb 3, 2016 at 12:45 AM Martin Basti <[email protected]> wrote: > >> >> >> On 03.02.2016 01:47, Joshua Ruybal wrote: >> >> Hi All, >> >> I've run into a frustrating issue regarding DNS Dynamic Updating. >> >> In a nutshell: >> >> If I enroll a new client when the forward policy on a dns zone is set to >> "disabled" I don't have a problem enrolling the client and updating the dns >> record. >> >> However if the policy of the zone is set to "only" or "first", nsupdate >> fails during the client install. Install logs says nsupdate: Specified Zone >> 'example.com' does not exist (NXDOMAIN). >> >> I'm seeing this in multiple zones, and all I need to change to fix it is >> to change the forwarding policy. However it's problematic as we start the >> rollout, since we will need to rely on external dns until we have all >> servers enrolled. >> >> >> Client Install Log Snippet: >> >> 2016-02-02T22:53:17Z DEBUG args=/usr/bin/nsupdate -g >> /etc/ipa/.dns_update.txt >> 2016-02-02T22:53:17Z DEBUG stdout= >> 2016-02-02T22:53:17Z DEBUG stderr=specified zone 'dev.example.net' does >> not exist (NXDOMAIN) >> specified zone 'dev.example.net' does not exist (NXDOMAIN) >> >> Zone Configuration: >> >> [admin@ipa01 ~]$ ipa dnszone-show --all >> Zone name: dev.example.net >> dn: idnsname=dev.example.net,cn=dns,dc=example,dc=com >> Zone name: dev.example.net >> Authoritative nameserver: ipa01 >> Administrator e-mail address: hostmaster.dev.example.net. >> SOA serial: 1454447236 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM >> krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; >> Active zone: TRUE >> Dynamic update: TRUE >> Allow query: any; >> Allow transfer: none; >> Zone forwarders: 8.8.8.8 >> Forward policy: only >> nsrecord: ipa01, ipa02 >> objectclass: top, idnsrecord, idnszone >> >> Any ideas on how to remedy this? I'd like to avoid updating records by >> hand if it can be avoided. >> >> Thanks! >> Josh >> >> >> Hello, >> >> which version of freeIPA do you use? >> >> If version is older than 4.1, then specifying forward policy and >> forwarders cause that zone work as forwardzone thus, you cannot add host >> there, because all queries ale forwarded to specified forwarders (8.8.8.8) >> which does not know zone dev.example.com >> >> If version is 4.1+ then nsupdate should work and it can be bug. However >> I'm curious why do you need forwarding in master zone, what is the use case? >> >> More details about forwardzones in IPA: >> http://www.freeipa.org/page/V4/Forward_zones >> >> IMO you need specify global forwarder to your external DNS server, instead >> of adding per zone forwarders. >> >> >> Martin >> > > > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
