[Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Wed May 6 18:26:08 UTC 2015

Oh I feel silly now.  I had the wrong IP in DNS for the server, so
although forward and reverse lookups were working, it was sending the
update to a server that was not a DNS server.

Strangely enough, the logs did not show this attempt to notify the wrong
server, they just ignored it completely.  I fixed the IP and this is
working now.

Thanks!

> Hello!
>
> On 5.5.2015 00:24, nathan at nathanpeters.com wrote:
>> bind.x86_64                        32:9.9.4-20.el7.centos.pkcs11
>> @mkosek-freeipa
>> bind-dyndb-ldap.x86_64             6.1-1.el7.centos
>
> This version works for me (tested on Fedora 21).
>
>> And for reference here are the relevant A and NS records from my domain
>>
>> @ NS dc1.mydomain.net.
>> @ NS dc2.mydomain.net.
>> @ NS dns1.mydomain.net.
>> dns1 A 10.21.0.14
>
> I would recommend you to double check if commands
>
> $ dig @<IPA server> dc1.mydomain.net. A
> $ dig @<IPA server> dc2.mydomain.net. A
> $ dig @<IPA server> dns1.mydomain.net. A
>
> actually return an IP addresses or not. Unfortunately BIND does not report
> an
> error if it is unable to resolve the name and silently ignores the name
> when
> notifications are sent.
>
> For testing purposes I use these commands (on server):
> $ tcpdump -i any 'port 53'
> $ rndc notify mydomain.net.
>
> Look for a line from tcpdump with note 'notify' in it. I can see the
> notify
> packet as soon as BIND prints 'sending notifies' message to the journal.
>
> I hope this helps.
>
> Petr^2 Spacek
>
>>> Hello!
>>>
>>> On 2.5.2015 17:12, Nathan Peters wrote:
>>>> The last 3 sentences of my original post refer to me adding the NS
>>>> records for
>>>> the slave.  Is that what you mean?
>>>>
>>>> "I have also ensured that the slave hostname and IP are in FreeIPA
>>>> DNS.
>>>> I
>>>> have also added an NS entry pointing to the slave."
>>>
>>> Which version of FreeIPA and bind-dyndb-ldap are you using?
>>>
>>> I will look into it.
>>>
>>> Petr^2 Spacek
>>>
>>>
>>>> -----Original Message----- From: Baird, Josh
>>>> Sent: Saturday, May 02, 2015 7:33 AM
>>>> To: 'nathan at nathanpeters.com' ; freeipa-users at redhat.com
>>>> Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being
>>>> sent to
>>>> slaves
>>>>
>>>> Is the PowerDNS slave in the NS RRSet for the IPA domain?
>>>> Unfortuantely,
>>>> bind-dyndb-ldap does not support 'also-notify' which would allow us to
>>>> send
>>>> notifies each time a zone update occurs to slave servers that are not
>>>> in
>>>> the
>>>> RRSet [1].  To compensate for this in my environment, I had to lower
>>>> the
>>>> 'refresh' timer on the IPA zone.
>>>>
>>>> [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152
>>>>
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com
>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of
>>>> nathan at nathanpeters.com
>>>> Sent: Friday, May 1, 2015 8:20 PM
>>>> To: freeipa-users at redhat.com
>>>> Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being
>>>> sent
>>>> to slaves
>>>>
>>>> I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas.
>>>>
>>>> I also have another host running PowerDNS serving as a slave.
>>>> The FreeIPA servers are setup to allow transfers to the slave by IP.
>>>> When
>>>> adding the zone, the slave transfered it properly.
>>>>
>>>> However, when I update the zone in FreeIPA, although the serial number
>>>> changes, in the /var/log/messages I only see an attempt to transfer to
>>>> the
>>>> second IPA server, and not the slave.  This is the only log entry :
>>>>
>>>> May  2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending
>>>> notifies
>>>> (serial 1430528817) May  2 01:06:57 dc1 named-pkcs11[5897]: client
>>>> 10.178.0.99#29832: received notify for zone 'mydomain.net'
>>>>
>>>> I have restarted all services using ipactl restart several times.  I
>>>> have also
>>>> ensured that the slave hostname and IP are in FreeIPA DNS.  I have
>>>> also
>>>> added
>>>> an NS entry pointing to the slave.
>>>>
>>>> According to the FreeIPA manual, once that NS entry is added, any zone
>>>> updates
>>>> should trigger a notify, but still the only notifications go out to
>>>> FreeIPA
>>>> servers and nothing else.
>>>>
>>>> Any idea how to fix this so FreeIPA notifies non IPA servers?  I'm
>>>> pretty sure
>>>> I've followed all the instructions to the letter on this one...
>