[Freeipa-users] DNS zone transfers
Loris Santamaria
loris at lgs.com.ve
Tue Jun 21 13:51:03 UTC 2011
El mar, 21-06-2011 a las 12:12 +0200, Adam Tkac escribió:
> On 06/16/2011 09:38 PM, Loris Santamaria wrote:
> > El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió:
> >> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote:
> >>> Hi,
> >>>
> >>> I would like to use my freeIPA v2 server as my master name server and
> >>> have other normal (non ldap based) bind servers as caching / secondary
> >>> name servers. Ideally the clients would query only the secondary servers
> >>> and the secondary name servers would perform regular zone transfers from
> >>> the master server.
> >>>
> >>> So I'm trying to setup zone transfer in my IPA based name server. First
> >>> of all I see that the attribute "idnsAllowTransfer" referenced in the
> >>> bind-dyndb-ldap documentation is not really supported in the schema
> >>> installed in IPA. Next, using a global "allow-transfer" in named.conf
> >>> doesn't work also.
> >> A global allow-transfer should work, have you restarted named after
> >> setting it ?
> >>
> >> If it doesn't work we may have a bug.
> > I'm adding to named.conf options section:
> >
> > allow-transfer { 127.0.0.1; };
> >
> > then I restart named and try a zone transfer on the same host:
> >
> > # host -l ipa.corpfbk. 127.0.0.1
> > ; Transfer failed.
> > Using domain server:
> > Name: 127.0.0.1
> > Address: 127.0.0.1#53
> > Aliases:
> >
> > Host ipa.corpfbk not found: 9(NOTAUTH)
> > ; Transfer failed.
> >
> > In the logs I get:
> >
> > Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH)
> >
> Hello Loris,
>
> the bind-dyndb-ldap plugin currently doesn't support zone transfers but
> you should receive SERVFAIL error in this case, not NOTAUTH.
>
> Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk
> zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here?
The zone's SOA seems right to me:
[root at ipa01 ~]# dig @127.0.0.1 ipa.corpfbk SOA
; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @127.0.0.1 ipa.corpfbk SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43430
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;ipa.corpfbk. IN SOA
;; ANSWER SECTION:
ipa.corpfbk. 86400 IN SOA ipa01.central.corpfbk. soporte.tiendaskioto.com. 2011020601 3600 900 1209600 3600
;; AUTHORITY SECTION:
ipa.corpfbk. 86400 IN NS ipa01.central.corpfbk.
;; ADDITIONAL SECTION:
ipa01.central.corpfbk. 86400 IN A 192.168.3.6
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 21 09:15:43 2011
;; MSG SIZE rcvd: 133
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
-O9 -omg-optimize -fomit-instructions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5909 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110621/1db6dc66/attachment.bin>
More information about the Freeipa-users
mailing list