Bug 958140
Summary: | PTR record synchronization deletes all data under reverse name | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
Component: | bind-dyndb-ldap | Assignee: | Petr Spacek <pspacek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | mkosek, pspacek, xdong |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | bind-dyndb-ldap-3.5-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 10:32:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dmitri Pal
2013-04-30 13:23:33 UTC
Fixed upstream by commit 1c63c045b5238fb675b7a517876869bcace2cdab. When I delete the A record ,however it's reverse record did not get deleted.Is this a bug or if not ,could you provide the correct steps to verify ? [root@70master ipa-ctl]# ipa dnszone-add example.com. --admin-email=hostmaster.example.com. --name-server=ns --ip-addr=127.0.0.1 Zone name: example.com. Authoritative nameserver: ns Administrator e-mail address: hostmaster.example.com. SOA serial: 1389813544 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@70master ipa-ctl]# ipa dnszone-add 3.2.1.in-addr.arpa. --admin-email=hostmaster.3.2.1.in-addr.arpa. --name-server=ns.example.com. Zone name: 3.2.1.in-addr.arpa. Authoritative nameserver: ns.example.com. Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa. SOA serial: 1389817156 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@70master ipa-ctl]# ipa dnsrecord-add example.com. test --a-rec=1.2.3.4 --a-create-reverse Record name: test A record: 1.2.3.4 [root@70master ipa-ctl]# dig test.example.com. ; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> test.example.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63180 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test.example.com. IN A ;; ANSWER SECTION: test.example.com. 86400 IN A 1.2.3.4 ;; AUTHORITY SECTION: example.com. 86400 IN NS ns.example.com. ;; ADDITIONAL SECTION: ns.example.com. 86400 IN A 1.2.3.4 [root@70master ipa-ctl]# ipa dnsrecord-add 3.2.1.in-addr.arpa. 4 --txt-rec="text" Record name: 4 PTR record: test.example.com. TXT record: text [root@70master ipa-ctl]# dig -x 1.2.3.4 ; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> -x 1.2.3.4 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50379 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;4.3.2.1.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 86400 IN PTR test.example.com. ;; AUTHORITY SECTION: 3.2.1.in-addr.arpa. 86400 IN NS ns.example.com. ;; ADDITIONAL SECTION: ns.example.com. 86400 IN A 127.0.0.1 [root@70master ipa-ctl]# ipa dnsrecord-del example.com. test --a-rec=1.2.3.4 --------------------- Deleted record "test" --------------------- [root@70master ipa-ctl]# ipa dnsrecord-find example.com. Record name: @ NS record: ns Record name: _kerberos TXT record: TESTRELM.COM Record name: ns A record: 127.0.0.1 ---------------------------- Number of entries returned 3 ---------------------------- [root@70master ipa-ctl]# ipa dnsrecord-find 3.2.1.in-addr.arpa. Record name: 4 PTR record: test.example.com. TXT record: text Record name: @ NS record: ns.example.com. [root@70master ipa-ctl]# dig -x 1.2.3.4 ; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> -x 1.2.3.4 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2067 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;4.3.2.1.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 86400 IN PTR test.example.com. ;; AUTHORITY SECTION: 3.2.1.in-addr.arpa. 86400 IN NS ns.example.com. ;; ADDITIONAL SECTION: ns.example.com. 86400 IN A 127.0.0.1 [root@70master ipa-ctl]# dig -x 1.2.3.4 -t TXT ; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> -x 1.2.3.4 -t TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6236 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;4.3.2.1.in-addr.arpa. IN TXT ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 86400 IN TXT "text" ;; AUTHORITY SECTION: 3.2.1.in-addr.arpa. 86400 IN NS ns.example.com. ;; ADDITIONAL SECTION: ns.example.com. 86400 IN A 127.0.0.1 You have to enable PTR record synchronization and use 'nsupdate -g' to do updates. I'm sorry that it is not clear from the bug description. PTR record synchronization is described at: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR after checking PTR record sync doc I found: Forward and reverse zones are hosted on the same server inside the same bind-dyndb-ldap instance. Both zones are managed by bind-dyndb-ldap driver declared in the one dynamic-db section of /etc/named.conf. Say my machine is 70master.testrelm.com and right now named.conf is: ... dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket"; arg "base cn=dns, dc=testrelm,dc=com"; arg "fake_mname 70master.testrelm.com."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/70master.testrelm.com"; arg "serial_autoincrement yes"; }; If I want to set up test.sample.com. and with A record 1.2.3.4 for testing, What it the correct config for both zones sample.com. and 3.2.1.in-addr.arpa. in dynamic-db part ? and for this config requirement: FreeIPA's default update policy for forward zones is: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; where EXAMPLE.COM is your Kerberos REALM. my current kerberos REALM is TESTRELM.COM ,so I need to temporarily change it to EXAMPLE.COM for this test and then change it back? (In reply to Xiyang Dong from comment #5) > If I want to set up test.sample.com. and with A record 1.2.3.4 for testing, > What it the correct config for both zones sample.com. and > 3.2.1.in-addr.arpa. in dynamic-db part ? The original configuration in named.conf is perfectly fine, use only IPA CLI for configuration if you don't need something special. > and for this config requirement: > FreeIPA's default update policy for forward zones is: grant EXAMPLE.COM > krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM > krb5-self * SSHFP; where EXAMPLE.COM is your Kerberos REALM. > > my current kerberos REALM is TESTRELM.COM ,so I need to temporarily change > it to EXAMPLE.COM for this test and then change it back? EXAMPLE.COM should be automatically replaced by IPA installer, you should see TESTRELM.COM in the output from $ ipa dnszone-show --all <yourzone> Default policy is automatically added to new DNS zones so you don't need to touch it. Configuration described https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR#QuickConfigurationforFreeIPA is valid, just follow steps in the text. Hi Petr , I still got refused when doing the update. Below are my steps: [root@70master ~]# kinit admin Password for admin: [root@70master ~]# testZone=example.com [root@70master ~]# ipa dnszone-add $testZone --admin-email=hostmaster.$testZone --name-server=ns --ip-address=127.0.0.1 Zone name: example.com Authoritative nameserver: ns Administrator e-mail address: hostmaster.example.com. SOA serial: 1390313346 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@70master ~]# testReverseZone=3.2.1.in-addr.arpa. [root@70master ~]# ipa dnszone-add $testReverseZone --admin-email=hostmaster.$testReverseZone --name-server=ns.$testZone. Zone name: 3.2.1.in-addr.arpa. Authoritative nameserver: ns.example.com. Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa. SOA serial: 1390313374 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@70master ~]# ipa dnsrecord-add $testZone test --a-rec=1.2.3.4 --a-create-reverse Record name: test A record: 1.2.3.4 [root@70master ~]# ipa dnsrecord-add $testReverseZone 4 --txt-rec=text Record name: 4 PTR record: test.example.com. TXT record: text [root@70master ~]# ipa dnszone-mod $testZone --dynamic-update=TRUE Zone name: example.com Authoritative nameserver: ns Administrator e-mail address: hostmaster.example.com. SOA serial: 1390313485 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: TRUE Allow query: any; Allow transfer: none; [root@70master ~]# testRelm=TESTRELM.COM [root@70master ~]# ipa dnszone-mod $testZone --update-policy='grant $testRelm krb5-self * A; grant $testRelm krb5-self * AAAA; grant $testRelm krb5-self * SSHFP;' Zone name: example.com Authoritative nameserver: ns Administrator e-mail address: hostmaster.example.com. SOA serial: 1390313485 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant $testRelm krb5-self * A; grant $testRelm krb5-self * AAAA; grant $testRelm krb5-self * SSHFP; Active zone: TRUE Allow query: any; Allow transfer: none; [root@70master ~]# ipa dnszone-mod $testZone --allow-sync-ptr=TRUE Zone name: example.com Authoritative nameserver: ns Administrator e-mail address: hostmaster.example.com. SOA serial: 1390313485 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE [root@70master ~]# ipa dnszone-mod $testReverseZone --dynamic-update=TRUE Zone name: 3.2.1.in-addr.arpa. Authoritative nameserver: ns.example.com. Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa. SOA serial: 1390313492 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: TRUE Allow query: any; Allow transfer: none; [root@70master ~]# ipa host-add test.$testZone ----------------------------- Added host "test.example.com" ----------------------------- Host name: test.example.com Principal name: host/test.example.com Password: False Keytab: False Managed by: test.example.com [root@70master ~]# TmpDir=/tmp [root@70master ~]# MASTER=`hostname` [root@70master ~]# ipa-getkeytab -s $MASTER -p host/test.$testZone@$testRelm -k $TmpDir/bz958140.keytab Keytab successfully retrieved and stored in: /tmp/bz958140.keytab [root@70master ~]# cat > $TmpDir/nsupdate.txt << EOF > debug > update delete test.$testZone IN A 1.2.3.4 > send > EOF [root@70master ~]# [root@70master ~]# kinit -k -t $TmpDir/bz958140.keytab host/test.$testZone [root@70master ~]# nsupdate -g $TmpDir/nsupdate.txt Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50755 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.example.com. IN SOA ;; AUTHORITY SECTION: example.com. 3600 IN SOA 70master.testrelm.com. hostmaster.example.com. 1390313485 3600 900 1209600 3600 Found zone name: example.com The master is: 70master.testrelm.com start_gssrequest Found realm from ticket: TESTRELM.COM send_gssrequest Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58456 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;2624493634.sig-70master.testrelm.com. ANY TKEY ;; ADDITIONAL SECTION: 2624493634.sig-70master.testrelm.com. 0 ANY TKEY gss-tsig. 1390313831 1390313831 3 NOERROR 643 YIICfwYJKoZIhvcSAQICAQBuggJuMIICaqADAgEFoQMCAQ6iBwMFACAA AACjggFwYYIBbDCCAWigAwIBBaEOGwxURVNUUkVMTS5DT02iJzAloAMC AQGhHjAcGwNETlMbFTcwbWFzdGVyLnRlc3RyZWxtLmNvbaOCASYwggEi oAMCARKhAwIBAqKCARQEggEQzcPnhE8mVNZEUZ5xlt/gJTXITCpjkM+S 6RFUrzoeunEo6EyghjHkzlTfobNwjiyuuXm6R4wr0rYlfeiqn6H3/Ivr hYI2BvUFWrrW8cBxvj4FcJrDU4ytuaeftqa8YVjq3dc8A99TWQVlHwtX wVXdJa7hP2GMT7nsH47MhIViDUOW/CjDnTvPeyM0O94o1EqptU0I5mbE oABb+SUVuaKksJdHX6idB2MKp98uZ2ls4p+AvC/40FmMVyiAuZUJDbZ1 jaKxAHeyEpvI5f+/1oZztfApbZZynRQWxGioYVilE02LW6MeFOAqkiKr ABcO6Aip3MWDw8v9OSBn6dxzENJSGLnCsM1daZ4Y7TsuHhofCTakgeAw gd2gAwIBEqKB1QSB0vB/P8QLYf83oeqENUk2YHleVHIVE1KrQ+g+2mao xTGv1rvKrG9oGTKieuiAos5cmATvW1H3bzoTFHS6XG0vOnZs3Ti1yZbq hlvjUtzk1Bd4hWYjzqmalAnV/kpRlC7Pk8OE6xJLihACNJLm8jFeDSTt /Z1GW50/dm6jhjY744bpMj0Ie/GbmXvGOPMnghYYgcCeuW9THwVUqzj/ ozd5PjvGdaRQ4W615szI8B3B+pDclrI/DtRkX6t7qHuwIKovPHMUwqYz iRIJyEbcYFDiIlg9uA== 0 recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58456 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;2624493634.sig-70master.testrelm.com. ANY TKEY ;; ANSWER SECTION: 2624493634.sig-70master.testrelm.com. 0 ANY TKEY gss-tsig. 1390313831 1390317431 3 NOERROR 156 YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKi cQRvfzKND0CB5oRT9ib9K10A6o+9Xr5NEBFuYbPPZzNfK7984kn6nj/P 7KLUtqwN6Mn09UMOJ2azd+uehW3eS4/U/5SxOA63VjhkWn6/V94Dblvk cz6s1+waKsPUg5mxmFskd6iz2MNFfRkqZ9J1hiFV 0 Sending update to 10.18.57.215#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 3143 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; UPDATE SECTION: test.example.com. 0 NONE A 1.2.3.4 ;; TSIG PSEUDOSECTION: 2624493634.sig-70master.testrelm.com. 0 ANY TSIG gss-tsig. 1390313831 300 28 BAQE//////8AAAAAK8jvItMJYqplk3YdBpnjGw== 3143 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 3143 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; TSIG PSEUDOSECTION: 2624493634.sig-70master.testrelm.com. 0 ANY TSIG gss-tsig. 1390313831 300 28 BAQF//////8AAAAAD2rPc0YMT/GjtdLMYR0Gpg== 3143 NOERROR 0 in /var/log/messages: Jan 21 09:17:11 70master named[28475]: client 10.18.57.215#38837/key host/test.example.com\@TESTRELM.COM: updating zone 'example.com/IN': update failed: rejected by secure update (REFUSED) (In reply to Xiyang Dong from comment #7) > [root@70master ~]# ipa dnszone-mod $testZone --update-policy='grant > $testRelm krb5-self * A; grant $testRelm krb5-self * AAAA; grant $testRelm > krb5-self * SSHFP;' > Zone name: example.com ... > BIND update policy: grant $testRelm krb5-self * A; grant $testRelm > krb5-self * > AAAA; grant $testRelm krb5-self * SSHFP; Note that $testRelm was not expanded so BIND can't possibly match client's realm to string "$testRelm". Rest of the configuration seems fine, please retry the test with expanded $testRelm variable. Have a nice day! Verified on : ipa-server-3.3.3-6.el7.x86_64 bind-dyndb-ldap-3.5-2.el7.x86_64 [root@70master ~]# kinit admin Password for admin: [root@70master ~]# testZone=example.com [root@70master ~]# ipa dnszone-add $testZone --admin-email=hostmaster.$testZone --name-server=ns --ip-address=127.0.0.1 Zone name: example.com Authoritative nameserver: ns Administrator e-mail address: hostmaster.example.com. SOA serial: 1390313346 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@70master ~]# testReverseZone=3.2.1.in-addr.arpa. [root@70master ~]# ipa dnszone-add $testReverseZone --admin-email=hostmaster.$testReverseZone --name-server=ns.$testZone. Zone name: 3.2.1.in-addr.arpa. Authoritative nameserver: ns.example.com. Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa. SOA serial: 1390313374 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@70master ~]# ipa dnsrecord-add $testZone test --a-rec=1.2.3.4 --a-create-reverse Record name: test A record: 1.2.3.4 [root@70master ~]# ipa dnsrecord-add $testReverseZone 4 --txt-rec=text Record name: 4 PTR record: test.example.com. TXT record: text [root@70master ~]# ipa dnszone-mod $testZone --dynamic-update=TRUE Zone name: example.com Authoritative nameserver: ns Administrator e-mail address: hostmaster.example.com. SOA serial: 1390313485 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: TRUE Allow query: any; Allow transfer: none; [root@70master ~]# testRealm=TESTRELM.COM [root@70master ~]# ipa dnszone-mod $testZone --update-policy="grant $testRealm krb5-self * A; grant $testRealm krb5-self * AAAA; grant $testRealm krb5-self * SSHFP;" Zone name: example.com Authoritative nameserver: ns Administrator e-mail address: hostmaster.example.com. SOA serial: 1390313485 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; Active zone: TRUE Allow query: any; Allow transfer: none; [root@70master ~]# ipa dnszone-mod $testZone --allow-sync-ptr=TRUE Zone name: example.com Authoritative nameserver: ns Administrator e-mail address: hostmaster.example.com. SOA serial: 1390313485 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE [root@70master ~]# ipa dnszone-mod $testReverseZone --dynamic-update=TRUE Zone name: 3.2.1.in-addr.arpa. Authoritative nameserver: ns.example.com. Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa. SOA serial: 1390313492 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: TRUE Allow query: any; Allow transfer: none; [root@70master ~]# ipa host-add test.$testZone ----------------------------- Added host "test.example.com" ----------------------------- Host name: test.example.com Principal name: host/test.example.com Password: False Keytab: False Managed by: test.example.com [root@70master ~]# TmpDir=/tmp [root@70master ~]# MASTER=`hostname` [root@70master ~]# ipa-getkeytab -s $MASTER -p host/test.$testZone@$testRelm -k $TmpDir/bz958140.keytab Keytab successfully retrieved and stored in: /tmp/bz958140.keytab [root@70master ~]# cat > $TmpDir/nsupdate.txt << EOF > debug > update delete test.$testZone IN A 1.2.3.4 > send > EOF [root@70master ~]# [root@70master ~]# kinit -k -t $TmpDir/bz958140.keytab host/test.$testZone [root@70master ~]# nsupdate -g $TmpDir/nsupdate.txt Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39788 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.example.com. IN SOA ;; AUTHORITY SECTION: example.com. 3600 IN SOA 70master.testrelm.com. hostmaster.example.com. 1390317899 3600 900 1209600 3600 Found zone name: example.com The master is: 70master.testrelm.com start_gssrequest Found realm from ticket: TESTRELM.COM send_gssrequest Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31724 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;355206154.sig-70master.testrelm.com. ANY TKEY ;; ADDITIONAL SECTION: 355206154.sig-70master.testrelm.com. 0 ANY TKEY gss-tsig. 1390318478 1390318478 3 NOERROR 643 YIICfwYJKoZIhvcSAQICAQBuggJuMIICaqADAgEFoQMCAQ6iBwMFACAA AACjggFwYYIBbDCCAWigAwIBBaEOGwxURVNUUkVMTS5DT02iJzAloAMC AQGhHjAcGwNETlMbFTcwbWFzdGVyLnRlc3RyZWxtLmNvbaOCASYwggEi oAMCARKhAwIBAqKCARQEggEQXdTDTYvv7mulLQ4IBkKWPvwQAzIs/Myn R5iatrlIqN11JHs3VLLHTHUQd8M8Sb9V2TRR5KAXUeVD7nDwW1YAzTly rUEQWMFJzTO6pdzF3h96EWaKPafXZdH7IXhIgC5egr81eBYMRqpUH0U6 M4H6tg4zIFB5NxSrJ5TidihN95m+urToj+jXrcAhgmn2I35e5UkVxwrH tqBLYzjypW7DwtGyXrFZB3YT2FhFjHGSrTegEzW/fOdTuiwB1n3GmvJO bUXSk7OOqf7DdNSGatKHizmMb5Me3P80Qs8Zn0Y9S2DTJF9JrMdeBW4V G+qj2or3k1sPgYdaPNKXlNIoOU52HNwKtHKiOpHrZUtgZuBQtXqkgeAw gd2gAwIBEqKB1QSB0vIhiVCR8aYjHRWZqrJkPFkkP6u5jzcR8lOZ2Ac5 Np2gi0aex57oF1e+cCcSRJGUCn+XESlU5Y53bg2LKRUSItEQLQBuLI9b 3nLXwwdK0FUt6InJh/e20TFL2V8s4l+zuy9CxsgGupX2dQYRQAkjNzJZ pwth6IGytJaOIMSxGa+HCUF9q65Btibxzx4L7/oooHYKcrPXSnRiW05w RYAb9sFxqdH0n2TQrtQPP3hD0nDQ+zXP5skBCcoZA8xLoy0i/22lmPIS ODUwetJ63KIn0JFQnw== 0 recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31724 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;355206154.sig-70master.testrelm.com. ANY TKEY ;; ANSWER SECTION: 355206154.sig-70master.testrelm.com. 0 ANY TKEY gss-tsig. 1390318478 1390322078 3 NOERROR 156 YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKi cQRveDxq7D8QZV56dSegp0Nxv3lIYfm2hUJ2rHbgOAo7r5OPlGtCE+PD nd8Y25bl+60evNPS25swKd8Wcqwfl4Aq/6tEi8n8UIDzMAMOLU0OyWq3 35JAHKZ1P8pjCKb0vliO33qoWM8kLFVXYb1TMR7R 0 Sending update to 10.18.57.215#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 34291 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; UPDATE SECTION: test.example.com. 0 NONE A 1.2.3.4 ;; TSIG PSEUDOSECTION: 355206154.sig-70master.testrelm.com. 0 ANY TSIG gss-tsig. 1390318478 300 28 BAQE//////8AAAAALePiKrb9/WJLq3X2PPHtDg== 34291 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 34291 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; TSIG PSEUDOSECTION: 355206154.sig-70master.testrelm.com. 0 ANY TSIG gss-tsig. 1390318478 300 28 BAQF//////8AAAAALjayzxxVVlemheMlUdZcrw== 34291 NOERROR 0 [root@70master ~]# ipa dnsrecord-find $testZone Record name: @ NS record: ns Record name: _kerberos TXT record: TESTRELM.COM Record name: ns A record: 127.0.0.1 ---------------------------- Number of entries returned 3 ---------------------------- ---------------------------- [root@70master ~]# ipa dnsrecord-find $testReverseZone 4 Record name: 4 TXT record: text ---------------------------- Number of entries returned 1 ---------------------------- This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |