Hello Jon, I’m having issues with the setup. First the enhancement things that may be welcoming for you: # chdef -t site externaldns=1
With this in place you can only use makedns instead of makedns -e. I think it’s a good idea to set it up to avoid messing with the local named daemon. In case of you forgetting to put -e in makedns command. Now the bad things. 1. Makedns insists in updating zones that I do not have control. For instance, the external domain name and the reverse IP of the external name: Error: [hpclab]: Failure encountered updating 29.164.146.IN-ADDR.ARPA. with entry '', error was REFUSED. See more details in system log. Error: [hpclab]: Failure encountered updating 29.164.146.IN-ADDR.ARPA. with entry '', error was REFUSED. See more details in system log. Error: [hpclab]: Failure encountered updating 29.164.146.IN-ADDR.ARPA. with entry '', error was REFUSED. See more details in system log. Error: [hpclab]: Failure encountered updating 29.164.146.IN-ADDR.ARPA. with entry '', error was REFUSED. See more details in system log. Error: [hpclab]: Failure encountered updating iq.ufrj.br. with entry '', error was REFUSED. See more details in system log. Error: [hpclab]: Failure encountered updating iq.ufrj.br. with entry '', error was REFUSED. See more details in system log. Error: [hpclab]: Failure encountered updating iq.ufrj.br. with entry '', error was REFUSED. See more details in system log. Error: [hpclab]: Failure encountered updating iq.ufrj.br. with entry '', error was REFUSED. See more details in system log. There’s a way to skip this zones? This happens because of my external addresses. 2. For reasons unknown I can’t make the grants for the internal zone: Sep 22 14:48:04 hpclab named-pkcs11[21244]: 'CLUSTER.IQ.UFRJ.BR' unexpected Sep 22 14:48:04 hpclab named-pkcs11[21244]: zone cluster.iq.ufrj.br/IN: failed to parse policy string Sep 22 14:48:04 hpclab named-pkcs11[21244]: zone cluster.iq.ufrj.br/IN: disabling all updates because of error in update policy configuration: unexpected token I’m using this policy in cluster.iq.ufrj.br <http://cluster.iq.ufrj.br/>; grant CLUSTER.IQ.UFRJ.BR krb5-self * A; grant CLUSTER.IQ.UFRJ.BR krb5-self * AAAA; grant CLUSTER.IQ.UFRJ.BR krb5-self * SSHFP; grant xcat_key CLUSTER.IQ.UFRJ.BR A CNAME; 3. The same thing happens for the reverse zone: Sep 22 14:50:35 hpclab named-pkcs11[21244]: '0.0.10.in-addr.arpa.' unexpected Sep 22 14:50:35 hpclab named-pkcs11[21244]: zone 0.0.10.in-addr.arpa/IN: failed to parse policy string Sep 22 14:50:35 hpclab named-pkcs11[21244]: zone 0.0.10.in-addr.arpa/IN: disabling all updates because of error in update policy configuration: unexpected token Sep 22 14:50:35 hpclab named-pkcs11[21244]: update_zone (syncrepl) failed for master zone DN 'idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=cluster,dc=iq,dc=ufrj,dc=br'. Zones can be outdated, run `rndc reload`: unexpected token Using the policy in the reverse zone: grant CLUSTER.IQ.UFRJ.BR krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant xcat_key 0.0.10.in-addr.arpa. * PTR; -x-x-x- Regarding 2 and 3; it’s probably something wrong on the grant policy. But I’ve followed your instructions and the instructions on the link that you’ve attached in the original message. What I’m missing? Thanks, > On 12 Sep 2019, at 06:11, Jon Diprose <[email protected]> wrote: > > Hi Vinícius, > > I am looking at exactly this at the moment. My experience so far is that: > > - xCAT’s ‘makedns -e’ uses TSIG to update at least the first dns server in > the master’s /etc/resolv.conf > - xCAT’s TSIG key appears to be hmac-md5 > + I’d like to know if I could go to hmac-sha512 instead but I think that may > be hardcoded as the hashing function declaration isn’t in the omapi entry of > the password table, just the secret > - https://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG > <https://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG> > basically applies > - add the xcat_key stanza to the /etc/named.conf files and ‘rndc reload’ on > all FreeIPA replicas > - for the relevant FreeIPA forward zones the update-policy ‘grant xcat_key > zonesub A CNAME;’ is required in addition to whatever is already there > + if you are doing that at the command line, ‘ipa dnszone-show zone.name. > --all’ shows the existing policy > + note that ‘ipa dnszone-mod zone.name. --update-policy …’ replaces and does > not append > - for the relevant FreeIPA reverse zones the update-policy ‘grant xcat_key > zonesub PTR;’ is required in addition to whatever is already there > - those may not be the most appropriate policy wordings but they work for me > - ‘ipa dnszone-mod zone.name. --dynamic-update true’ is required for both > forward and reverse zones > - the ‘@’ records and Authoritative Server settings that FreeIPA creates by > default may need adjusting if those defaults are not reachable by your xCAT > master > - you can test the talking-to-FreeIPA bit without any of the xCAT stuff using > the ‘nsupdate’ command > - I haven’t yet attempted to enrol my xCAT master as an IPA client so I’ve no > idea if kinit’ing with appropriate privilege would make the TSIG key work > unnecessary - I don’t know if xCAT can speak GSS-TSIG > > > ‘makedns -e’ now almost works for me - it updates the all IPA dns records > that I am expecting from my xCAT config and a few more I wasn’t expecting > from having manually added stuff to my /etc/hosts, all without touching the > existing local config. It is still returning an exit code of 1 so there’s > still something to track down, but I think that is now down to > inconsistencies and oddities in my xCAT config and /etc/hosts file, > complicated by my particular setup not being authoritative for some domains I > use. > > I also ship fully-populated /etc/hosts files to all our xCAT-managed nodes, > so I’m hoping for a seamless changeover when redirecting the nodes to the > FreeIPA DNS instances instead of the one on the xCAT master. > > I hope that helps and I’d appreciate hearing about anything you learn along > the way! > > Jon > > -- > Dr. Jonathan Diprose <[email protected] <mailto:[email protected]>> > Tel: 01865 287837 > Research Computing Manager > Henry Wellcome Building for Genomic Medicine Roosevelt Drive, Headington, > Oxford OX3 7BN > > From: Vinícius Ferrão via xCAT-user [mailto:[email protected]] > Sent: 11 September 2019 15:32 > To: xCAT Users Mailing list > Cc: Vinícius Ferrão > Subject: [xcat-user] Removing BIND from xCAT > > Hello, > > I’ve came across this documentation page: > https://xcat-docs.readthedocs.io/en/stable/advanced/domain_name_resolution/domain_name_resolution.html#option-2-use-a-dns-that-is-outside-of-the-cluster > > <https://xcat-docs.readthedocs.io/en/stable/advanced/domain_name_resolution/domain_name_resolution.html#option-2-use-a-dns-that-is-outside-of-the-cluster> > > And it says specifically that I can use an external DNS server. > > So the point is, with this option xCAT does not even use the shipped BIND? > > Can it coexist with another BIND daemon on the same machine? > > I’m interested in installing FreeIPA and enabling DNS integrated Zones, so > FreeIPA handles the DNS service. > > Thanks, > > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
