[Freeipa-users] ttl settings for host records

Rob Crittenden rcritten at redhat.com
Tue Nov 27 15:52:38 UTC 2012 

Natxo Asenjo wrote:
> hi,
>
> this is puzzling me.
>
> I have an AD environment (which is leading) with integrated dns servers.
>
> In the AD dns I have a zone domain.tld. I have created a delegation
> unix.domain.tld in it with a glue record pointing to a new ipa server
> kdc01.unix.domain.tld.
>
> This works. I can join hosts to the IPA domain and reach their
> services from the AD domain.
>
> this is the what a host querying the AD dns servers gets when getting
> info about the unix.domain.tld zone:
>
> $ dig unix.domain.tld
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> unix.domain.tld
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34185
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;unix.domain.tld.		IN	A
>
> ;; AUTHORITY SECTION:
> unix.domain.tld.	300	IN	SOA	kdc01.unix.domain.tld.
> hostmaster.unix.domain.tld. 2012110713 3600 900 1209600 3600
>
> And the TTL is 300. When I re-run the query, I see that it is less
> than that. This is normal, I have the domain.tld in AD dns with ttl 5
> minutes.
>
> So far, so good.
>
> Now I joing a host to the IPA domain and query the host:
>
> $ dig solr01.unix.domain.tld
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> solr01.unix.domain.tld
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7726
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;solr01.unix.domain.tld.	IN	A
>
> ;; ANSWER SECTION:
> solr01.unix.domain.tld. 84185	IN	A	172.20.6.42
>
> The ttl has gone up to one day.
>
> this are the zone settings in IPA:
> $ ipa dnszone-show
> Zone name: unix.domain.tld
>    Zone name: unix.domain.tld
>    Authoritative nameserver: kdc01.unix.domain.tld.
>    Administrator e-mail address: hostmaster.unix.domain.tld.
>    SOA serial: 2012110713
>    SOA refresh: 3600
>    SOA retry: 900
>    SOA expire: 1209600
>    SOA minimum: 3600
>    Active zone: TRUE
>    Allow query: any;
>    Allow transfer: none;
>
> In the web-ui I have filled in the SOA time to live field: 300 for
> this zone, but it is not being picked up.
>
> Where can I set this? If there are changes on the IPA server, I do not
> want that the old info gets cached for a day on the AD dns servers.

I'm not entirely sure where that 86400 came from. When we do a dynamic 
update the TTL is hardcoded to 1200. There is a ticket to make this 
configurable, https://fedorahosted.org/freeipa/ticket/3031

rob

More information about the Freeipa-users mailing list