Oh I feel silly now. I had the wrong IP in DNS for the server, so although forward and reverse lookups were working, it was sending the update to a server that was not a DNS server.
Strangely enough, the logs did not show this attempt to notify the wrong server, they just ignored it completely. I fixed the IP and this is working now. Thanks! > Hello! > > On 5.5.2015 00:24, nat...@nathanpeters.com wrote: >> bind.x86_64 32:9.9.4-20.el7.centos.pkcs11 >> @mkosek-freeipa >> bind-dyndb-ldap.x86_64 6.1-1.el7.centos > > This version works for me (tested on Fedora 21). > >> And for reference here are the relevant A and NS records from my domain >> >> @ NS dc1.mydomain.net. >> @ NS dc2.mydomain.net. >> @ NS dns1.mydomain.net. >> dns1 A 10.21.0.14 > > I would recommend you to double check if commands > > $ dig @<IPA server> dc1.mydomain.net. A > $ dig @<IPA server> dc2.mydomain.net. A > $ dig @<IPA server> dns1.mydomain.net. A > > actually return an IP addresses or not. Unfortunately BIND does not report > an > error if it is unable to resolve the name and silently ignores the name > when > notifications are sent. > > For testing purposes I use these commands (on server): > $ tcpdump -i any 'port 53' > $ rndc notify mydomain.net. > > Look for a line from tcpdump with note 'notify' in it. I can see the > notify > packet as soon as BIND prints 'sending notifies' message to the journal. > > I hope this helps. > > Petr^2 Spacek > >>> Hello! >>> >>> On 2.5.2015 17:12, Nathan Peters wrote: >>>> The last 3 sentences of my original post refer to me adding the NS >>>> records for >>>> the slave. Is that what you mean? >>>> >>>> "I have also ensured that the slave hostname and IP are in FreeIPA >>>> DNS. >>>> I >>>> have also added an NS entry pointing to the slave." >>> >>> Which version of FreeIPA and bind-dyndb-ldap are you using? >>> >>> I will look into it. >>> >>> Petr^2 Spacek >>> >>> >>>> -----Original Message----- From: Baird, Josh >>>> Sent: Saturday, May 02, 2015 7:33 AM >>>> To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com >>>> Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being >>>> sent to >>>> slaves >>>> >>>> Is the PowerDNS slave in the NS RRSet for the IPA domain? >>>> Unfortuantely, >>>> bind-dyndb-ldap does not support 'also-notify' which would allow us to >>>> send >>>> notifies each time a zone update occurs to slave servers that are not >>>> in >>>> the >>>> RRSet [1]. To compensate for this in my environment, I had to lower >>>> the >>>> 'refresh' timer on the IPA zone. >>>> >>>> [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152 >>>> >>>> -----Original Message----- >>>> From: freeipa-users-boun...@redhat.com >>>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of >>>> nat...@nathanpeters.com >>>> Sent: Friday, May 1, 2015 8:20 PM >>>> To: freeipa-users@redhat.com >>>> Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being >>>> sent >>>> to slaves >>>> >>>> I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. >>>> >>>> I also have another host running PowerDNS serving as a slave. >>>> The FreeIPA servers are setup to allow transfers to the slave by IP. >>>> When >>>> adding the zone, the slave transfered it properly. >>>> >>>> However, when I update the zone in FreeIPA, although the serial number >>>> changes, in the /var/log/messages I only see an attempt to transfer to >>>> the >>>> second IPA server, and not the slave. This is the only log entry : >>>> >>>> May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending >>>> notifies >>>> (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client >>>> 10.178.0.99#29832: received notify for zone 'mydomain.net' >>>> >>>> I have restarted all services using ipactl restart several times. I >>>> have also >>>> ensured that the slave hostname and IP are in FreeIPA DNS. I have >>>> also >>>> added >>>> an NS entry pointing to the slave. >>>> >>>> According to the FreeIPA manual, once that NS entry is added, any zone >>>> updates >>>> should trigger a notify, but still the only notifications go out to >>>> FreeIPA >>>> servers and nothing else. >>>> >>>> Any idea how to fix this so FreeIPA notifies non IPA servers? I'm >>>> pretty sure >>>> I've followed all the instructions to the letter on this one... > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
