Jon, I was an amateur. You already said the exactly string that I need to make DNS update with the grant policy. Sorry for this mess. I was able to understand exactly what’s going on in this website: http://www.zytrax.com/books/dns/ch7/xfer.html <http://www.zytrax.com/books/dns/ch7/xfer.html>
zonesub: The RR name being updated must match anything containing the zone name (as it appears in the zone clause containing this update-policy), including subdomains (any labels on the left) of this zone name. The optional tname field must be omitted when using this form. LOL. Anyway the issue 1. is still valid and happening. Solving the issues for 2 and 3, I’ve came through another issue: the external DNS name is added to the internal DNS with the domain appended, so I got the following registry: hpclab.iq.ufrj.br.cluster.iq.ufrj.br. Thanks, > On 22 Sep 2019, at 14:52, Vinícius Ferrão <[email protected]> wrote: > > Hello Jon, I’m having issues with the setup. > > First the enhancement things that may be welcoming for you: > # chdef -t site externaldns=1 > > With this in place you can only use makedns instead of makedns -e. I think > it’s a good idea to set it up to avoid messing with the local named daemon. > In case of you forgetting to put -e in makedns command. > > Now the bad things. > 1. Makedns insists in updating zones that I do not have control. For > instance, the external domain name and the reverse IP of the external name: > > Error: [hpclab]: Failure encountered updating 29.164.146.IN-ADDR.ARPA. with > entry '', error was REFUSED. See more details in system log. > Error: [hpclab]: Failure encountered updating 29.164.146.IN-ADDR.ARPA. with > entry '', error was REFUSED. See more details in system log. > Error: [hpclab]: Failure encountered updating 29.164.146.IN-ADDR.ARPA. with > entry '', error was REFUSED. See more details in system log. > Error: [hpclab]: Failure encountered updating 29.164.146.IN-ADDR.ARPA. with > entry '', error was REFUSED. See more details in system log. > Error: [hpclab]: Failure encountered updating iq.ufrj.br > <http://iq.ufrj.br/>. with entry '', error was REFUSED. See more details in > system log. > Error: [hpclab]: Failure encountered updating iq.ufrj.br > <http://iq.ufrj.br/>. with entry '', error was REFUSED. See more details in > system log. > Error: [hpclab]: Failure encountered updating iq.ufrj.br > <http://iq.ufrj.br/>. with entry '', error was REFUSED. See more details in > system log. > Error: [hpclab]: Failure encountered updating iq.ufrj.br > <http://iq.ufrj.br/>. with entry '', error was REFUSED. See more details in > system log. > > There’s a way to skip this zones? This happens because of my external > addresses. > > 2. For reasons unknown I can’t make the grants for the internal zone: > > Sep 22 14:48:04 hpclab named-pkcs11[21244]: 'CLUSTER.IQ.UFRJ.BR' unexpected > Sep 22 14:48:04 hpclab named-pkcs11[21244]: zone cluster.iq.ufrj.br/IN: > <http://cluster.iq.ufrj.br/IN:> failed to parse policy string > Sep 22 14:48:04 hpclab named-pkcs11[21244]: zone cluster.iq.ufrj.br/IN: > <http://cluster.iq.ufrj.br/IN:> disabling all updates because of error in > update policy configuration: unexpected token > > I’m using this policy in cluster.iq.ufrj.br <http://cluster.iq.ufrj.br/>; > > grant CLUSTER.IQ.UFRJ.BR krb5-self * A; grant CLUSTER.IQ.UFRJ.BR krb5-self * > AAAA; grant CLUSTER.IQ.UFRJ.BR krb5-self * SSHFP; grant xcat_key > CLUSTER.IQ.UFRJ.BR A CNAME; > > 3. The same thing happens for the reverse zone: > > Sep 22 14:50:35 hpclab named-pkcs11[21244]: '0.0.10.in-addr.arpa.' unexpected > Sep 22 14:50:35 hpclab named-pkcs11[21244]: zone 0.0.10.in-addr.arpa/IN: > failed to parse policy string > Sep 22 14:50:35 hpclab named-pkcs11[21244]: zone 0.0.10.in-addr.arpa/IN: > disabling all updates because of error in update policy configuration: > unexpected token > Sep 22 14:50:35 hpclab named-pkcs11[21244]: update_zone (syncrepl) failed for > master zone DN > 'idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=cluster,dc=iq,dc=ufrj,dc=br'. Zones > can be outdated, run `rndc reload`: unexpected token > > Using the policy in the reverse zone: > grant CLUSTER.IQ.UFRJ.BR krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant > xcat_key 0.0.10.in-addr.arpa. * PTR; > > -x-x-x- > > Regarding 2 and 3; it’s probably something wrong on the grant policy. But > I’ve followed your instructions and the instructions on the link that you’ve > attached in the original message. > > What I’m missing? > > Thanks, > > >> On 12 Sep 2019, at 06:11, Jon Diprose <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Vinícius, >> >> I am looking at exactly this at the moment. My experience so far is that: >> >> - xCAT’s ‘makedns -e’ uses TSIG to update at least the first dns server in >> the master’s /etc/resolv.conf >> - xCAT’s TSIG key appears to be hmac-md5 >> + I’d like to know if I could go to hmac-sha512 instead but I think that may >> be hardcoded as the hashing function declaration isn’t in the omapi entry of >> the password table, just the secret >> - >> https://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG >> <https://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG> >> basically applies >> - add the xcat_key stanza to the /etc/named.conf files and ‘rndc reload’ on >> all FreeIPA replicas >> - for the relevant FreeIPA forward zones the update-policy ‘grant xcat_key >> zonesub A CNAME;’ is required in addition to whatever is already there >> + if you are doing that at the command line, ‘ipa dnszone-show zone.name. >> --all’ shows the existing policy >> + note that ‘ipa dnszone-mod zone.name. --update-policy …’ replaces and does >> not append >> - for the relevant FreeIPA reverse zones the update-policy ‘grant xcat_key >> zonesub PTR;’ is required in addition to whatever is already there >> - those may not be the most appropriate policy wordings but they work for me >> - ‘ipa dnszone-mod zone.name. --dynamic-update true’ is required for both >> forward and reverse zones >> - the ‘@’ records and Authoritative Server settings that FreeIPA creates by >> default may need adjusting if those defaults are not reachable by your xCAT >> master >> - you can test the talking-to-FreeIPA bit without any of the xCAT stuff >> using the ‘nsupdate’ command >> - I haven’t yet attempted to enrol my xCAT master as an IPA client so I’ve >> no idea if kinit’ing with appropriate privilege would make the TSIG key work >> unnecessary - I don’t know if xCAT can speak GSS-TSIG >> >> >> ‘makedns -e’ now almost works for me - it updates the all IPA dns records >> that I am expecting from my xCAT config and a few more I wasn’t expecting >> from having manually added stuff to my /etc/hosts, all without touching the >> existing local config. It is still returning an exit code of 1 so there’s >> still something to track down, but I think that is now down to >> inconsistencies and oddities in my xCAT config and /etc/hosts file, >> complicated by my particular setup not being authoritative for some domains >> I use. >> >> I also ship fully-populated /etc/hosts files to all our xCAT-managed nodes, >> so I’m hoping for a seamless changeover when redirecting the nodes to the >> FreeIPA DNS instances instead of the one on the xCAT master. >> >> I hope that helps and I’d appreciate hearing about anything you learn along >> the way! >> >> Jon >> >> -- >> Dr. Jonathan Diprose <[email protected] <mailto:[email protected]>> >> Tel: 01865 287837 >> Research Computing Manager >> Henry Wellcome Building for Genomic Medicine Roosevelt Drive, Headington, >> Oxford OX3 7BN >> >> From: Vinícius Ferrão via xCAT-user [mailto:[email protected] >> <mailto:[email protected]>] >> Sent: 11 September 2019 15:32 >> To: xCAT Users Mailing list >> Cc: Vinícius Ferrão >> Subject: [xcat-user] Removing BIND from xCAT >> >> Hello, >> >> I’ve came across this documentation page: >> https://xcat-docs.readthedocs.io/en/stable/advanced/domain_name_resolution/domain_name_resolution.html#option-2-use-a-dns-that-is-outside-of-the-cluster >> >> <https://xcat-docs.readthedocs.io/en/stable/advanced/domain_name_resolution/domain_name_resolution.html#option-2-use-a-dns-that-is-outside-of-the-cluster> >> >> And it says specifically that I can use an external DNS server. >> >> So the point is, with this option xCAT does not even use the shipped BIND? >> >> Can it coexist with another BIND daemon on the same machine? >> >> I’m interested in installing FreeIPA and enabling DNS integrated Zones, so >> FreeIPA handles the DNS service. >> >> Thanks, >> >> _______________________________________________ >> xCAT-user mailing list >> [email protected] <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/xcat-user >> <https://lists.sourceforge.net/lists/listinfo/xcat-user>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
