Thanks, that helps a lot. Yes and no. What you see with "@ NS ..." is a glue record -- you are > supposed to have a glue record for IPA domain in the upstream domain, > this is how domain delegation works in DNS world.
Except what i saw was the other way around. The FreeIPA server has an NSrecord claiming that it is authoritative the parent domain, but its parent domain is hosted at dnsmadeeasy: ~ dig @8.8.8.8 -t NS lautus.net lautus.net. 86399 IN NS ns15.dnsmadeeasy.com. ~ dig @8.8.8.8 -t NS ipa.lautus.net ipa.lautus.net. 86399 IN NS ipa-hetzner-cpt4-01.lautus.net. But as far as the FreeIPA DNS is concerned, it is authoritative for everything: ~ dig @ipa-hetzner-cpt4-01.lautus.net -t NS lautus.net lautus.net. 86400 IN NS ipa-hetzner-cpt4-01.lautus.net. ~ dig @ipa-hetzner-cpt4-01.lautus.net -t NS ipa.lautus.net ipa.lautus.net. 86400 IN NS ipa-hetzner-cpt4-01.lautus.net. -- Pieter Nagel Lautus Solutions (Pty) Ltd Building 27, The Woodlands, 20 Woodlands Drive, Woodmead, Gauteng 0832587540
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project