[Freeipa-users] ttl settings for host records
Rob Crittenden
rcritten at redhat.com
Tue Nov 27 15:52:38 UTC 2012
Natxo Asenjo wrote:
> hi,
>
> this is puzzling me.
>
> I have an AD environment (which is leading) with integrated dns servers.
>
> In the AD dns I have a zone domain.tld. I have created a delegation
> unix.domain.tld in it with a glue record pointing to a new ipa server
> kdc01.unix.domain.tld.
>
> This works. I can join hosts to the IPA domain and reach their
> services from the AD domain.
>
> this is the what a host querying the AD dns servers gets when getting
> info about the unix.domain.tld zone:
>
> $ dig unix.domain.tld
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> unix.domain.tld
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34185
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;unix.domain.tld. IN A
>
> ;; AUTHORITY SECTION:
> unix.domain.tld. 300 IN SOA kdc01.unix.domain.tld.
> hostmaster.unix.domain.tld. 2012110713 3600 900 1209600 3600
>
> And the TTL is 300. When I re-run the query, I see that it is less
> than that. This is normal, I have the domain.tld in AD dns with ttl 5
> minutes.
>
> So far, so good.
>
> Now I joing a host to the IPA domain and query the host:
>
> $ dig solr01.unix.domain.tld
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> solr01.unix.domain.tld
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7726
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;solr01.unix.domain.tld. IN A
>
> ;; ANSWER SECTION:
> solr01.unix.domain.tld. 84185 IN A 172.20.6.42
>
> The ttl has gone up to one day.
>
> this are the zone settings in IPA:
> $ ipa dnszone-show
> Zone name: unix.domain.tld
> Zone name: unix.domain.tld
> Authoritative nameserver: kdc01.unix.domain.tld.
> Administrator e-mail address: hostmaster.unix.domain.tld.
> SOA serial: 2012110713
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> Active zone: TRUE
> Allow query: any;
> Allow transfer: none;
>
> In the web-ui I have filled in the SOA time to live field: 300 for
> this zone, but it is not being picked up.
>
> Where can I set this? If there are changes on the IPA server, I do not
> want that the old info gets cached for a day on the AD dns servers.
I'm not entirely sure where that 86400 came from. When we do a dynamic
update the TTL is hardcoded to 1200. There is a ticket to make this
configurable, https://fedorahosted.org/freeipa/ticket/3031
rob
More information about the Freeipa-users
mailing list