Re: [Freeipa-users] FreeIPA bind also-notify behavior.

Wed, 03 Sep 2014 00:29:30 -0700 

On 1.9.2014 12:16, Dmitri Pal wrote:

On 09/01/2014 12:05 PM, Martin Kosek wrote:

On 09/01/2014 07:50 AM, Dmitri Pal wrote:

On 08/29/2014 09:32 PM, Matthew Sellers wrote:

Hi Everyone!

I am using FreeIPA 3.3.5 on Fedora 20 and attempting to configure FreeIPA to
send notifies to non-IPA slaves, but it seems broken on IPA ( notify packets
are never sent to to slaves ).

I have configured also-notify { nameserverip; };  in named.conf on my FreeIPA
test host in the options section and watched for notify traffic with tcpdump.

This document suggests that this is supported, and this is something I have
used in non-IPA bind servers with no issues.

https://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_zone_transfer

I wanted to ask the list before I file a bug with more details.   Is anyone
using this bind feature on IPA with any success?

Thanks!
Matt



The DNS level change propagation is not supported between IPA replicas instead
it uses LDAP replication to propagate the changes.
If you want another non IPA DNS server to be a slave then you can do it. See
http://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation for more
information.

I thought that from F20, bind-dyndb-ldap was capable of native DNS operations
like AXFR/IXFR which can be used to actually deploy slave DNS servers. I wonder
if also-notify is something different. CCing Petr Spacek to advise.

AFAIU slave DNS servers not controlled by IPA yes, replicas as slaves - no.


Let me summarize:
- AXFR is supported (at least) by all versions RHEL 6.5 and newer versions
- IXFR is supported by bind-dyndb-ldap 4.0 and newer (Fedora 20+)
- DNS NOTIFY messages are always sent to servers listed in NS records
I.e. you have to add your non-IPA slave servers to NS records in particular zone and then it should 'just work', no other configuration (like 'also-notify') is necessary. 

Please let me know if it doesn't work for you.

--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to