958140 – PTR record synchronization deletes all data under reverse name

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 958140 - PTR record synchronization deletes all data under reverse name

Summary: PTR record synchronization deletes all data under reverse name

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	bind-dyndb-ldap
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Spacek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-30 13:23 UTC by Dmitri Pal
Modified:	2015-01-21 15:41 UTC (History)
CC List:	3 users (show)
Fixed In Version:	bind-dyndb-ldap-3.5-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:32:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dmitri Pal 2013-04-30 13:23:33 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/bind-dyndb-ldap/ticket/115

PTR record synchronization sometimes delete all data under name in reverse tree (e.g. `1.2.0.192.in-addr.arpa.`).

'''Inputs'''

Forward zone:
{{{
test.example.com.       3600 IN  A  192.0.2.1
}}}

Reverse zone:
{{{
1.2.0.192.in-addr.arpa. 3600 IN PTR test.example.com.
1.2.0.192.in-addr.arpa. 3600 IN TXT "address reserved for DNS tests"
}}}

Update:
{{{
update delete test.example.com. IN A 192.0.2.1
}}}

'''Result'''

Forward zone:
* Name `test.example.com.` does not exist.

Reverse zone:
* Name `1.2.0.192.in-addr.arpa.` does not exist.

Reverse zone should contain the original TXT record, only PTR record should be deleted:
{{{
1.2.0.192.in-addr.arpa. 3600 IN TXT "address reserved for DNS tests"
}}}

Comment 2 Petr Spacek 2013-05-21 11:42:33 UTC

Fixed upstream by commit 1c63c045b5238fb675b7a517876869bcace2cdab.

Comment 3 Xiyang Dong 2014-01-15 20:36:45 UTC

When I delete the A record ,however it's reverse record did not get deleted.Is this a bug or if not ,could you provide the correct steps to verify ?

[root@70master ipa-ctl]# ipa dnszone-add example.com. --admin-email=hostmaster.example.com. --name-server=ns --ip-addr=127.0.0.1
  Zone name: example.com.
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1389813544
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM
                      krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

[root@70master ipa-ctl]# ipa dnszone-add 3.2.1.in-addr.arpa. --admin-email=hostmaster.3.2.1.in-addr.arpa. --name-server=ns.example.com.
  Zone name: 3.2.1.in-addr.arpa.
  Authoritative nameserver: ns.example.com.
  Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
  SOA serial: 1389817156
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

[root@70master ipa-ctl]# ipa dnsrecord-add example.com. test --a-rec=1.2.3.4 --a-create-reverse
  Record name: test
  A record: 1.2.3.4

[root@70master ipa-ctl]# dig test.example.com.

; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> test.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63180
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.example.com.		IN	A

;; ANSWER SECTION:
test.example.com.	86400	IN	A	1.2.3.4

;; AUTHORITY SECTION:
example.com.		86400	IN	NS	ns.example.com.

;; ADDITIONAL SECTION:
ns.example.com.		86400	IN	A	1.2.3.4

[root@70master ipa-ctl]# ipa dnsrecord-add 3.2.1.in-addr.arpa. 4 --txt-rec="text"
  Record name: 4
  PTR record: test.example.com.
  TXT record: text

[root@70master ipa-ctl]# dig -x 1.2.3.4

; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> -x 1.2.3.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50379
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.3.2.1.in-addr.arpa.		IN	PTR

;; ANSWER SECTION:
4.3.2.1.in-addr.arpa.	86400	IN	PTR	test.example.com.

;; AUTHORITY SECTION:
3.2.1.in-addr.arpa.	86400	IN	NS	ns.example.com.

;; ADDITIONAL SECTION:
ns.example.com.		86400	IN	A	127.0.0.1


[root@70master ipa-ctl]# ipa dnsrecord-del example.com. test --a-rec=1.2.3.4
---------------------
Deleted record "test"
---------------------

[root@70master ipa-ctl]# ipa dnsrecord-find example.com.
  Record name: @
  NS record: ns

  Record name: _kerberos
  TXT record: TESTRELM.COM

  Record name: ns
  A record: 127.0.0.1
----------------------------
Number of entries returned 3
----------------------------

[root@70master ipa-ctl]# ipa dnsrecord-find 3.2.1.in-addr.arpa.
  Record name: 4
  PTR record: test.example.com.
  TXT record: text

  Record name: @
  NS record: ns.example.com.

[root@70master ipa-ctl]# dig -x 1.2.3.4

; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> -x 1.2.3.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2067
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.3.2.1.in-addr.arpa.		IN	PTR

;; ANSWER SECTION:
4.3.2.1.in-addr.arpa.	86400	IN	PTR	test.example.com.

;; AUTHORITY SECTION:
3.2.1.in-addr.arpa.	86400	IN	NS	ns.example.com.

;; ADDITIONAL SECTION:
ns.example.com.		86400	IN	A	127.0.0.1


[root@70master ipa-ctl]# dig -x 1.2.3.4 -t TXT

; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> -x 1.2.3.4 -t TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6236
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.3.2.1.in-addr.arpa.		IN	TXT

;; ANSWER SECTION:
4.3.2.1.in-addr.arpa.	86400	IN	TXT	"text"

;; AUTHORITY SECTION:
3.2.1.in-addr.arpa.	86400	IN	NS	ns.example.com.

;; ADDITIONAL SECTION:
ns.example.com.		86400	IN	A	127.0.0.1

Comment 4 Petr Spacek 2014-01-16 08:33:40 UTC

You have to enable PTR record synchronization and use 'nsupdate -g'  to do updates. I'm sorry that it is not clear from the bug description.

PTR record synchronization is described at:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR

Comment 5 Xiyang Dong 2014-01-17 14:07:15 UTC

after checking PTR record sync doc I found:

Forward and reverse zones are hosted on the same server inside the same bind-dyndb-ldap instance.

    Both zones are managed by bind-dyndb-ldap driver declared in the one dynamic-db section of /etc/named.conf. 

Say my machine is 70master.testrelm.com and right now named.conf is:

...
dynamic-db "ipa" {
	library "ldap.so";
	arg "uri ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket";
	arg "base cn=dns, dc=testrelm,dc=com";
	arg "fake_mname 70master.testrelm.com.";
	arg "auth_method sasl";
	arg "sasl_mech GSSAPI";
	arg "sasl_user DNS/70master.testrelm.com";
	arg "serial_autoincrement yes";
};

If I want to set up test.sample.com. and with A record 1.2.3.4 for testing,
What it the correct config for both zones sample.com. and 3.2.1.in-addr.arpa. in dynamic-db part ?


and for this config requirement:
    FreeIPA's default update policy for forward zones is: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; where EXAMPLE.COM is your Kerberos REALM. 

my current kerberos REALM is TESTRELM.COM ,so  I need to temporarily change it to EXAMPLE.COM for this test and then change it back?

Comment 6 Petr Spacek 2014-01-17 14:31:32 UTC

(In reply to Xiyang Dong from comment #5)
> If I want to set up test.sample.com. and with A record 1.2.3.4 for testing,
> What it the correct config for both zones sample.com. and
> 3.2.1.in-addr.arpa. in dynamic-db part ?

The original configuration in named.conf is perfectly fine, use only IPA CLI for configuration if you don't need something special.

> and for this config requirement:
>     FreeIPA's default update policy for forward zones is: grant EXAMPLE.COM
> krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM
> krb5-self * SSHFP; where EXAMPLE.COM is your Kerberos REALM. 
> 
> my current kerberos REALM is TESTRELM.COM ,so  I need to temporarily change
> it to EXAMPLE.COM for this test and then change it back?
EXAMPLE.COM should be automatically replaced by IPA installer, you should see TESTRELM.COM in the output from
$ ipa dnszone-show --all <yourzone>

Default policy is automatically added to new DNS zones so you don't need to touch it.

Configuration described https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR#QuickConfigurationforFreeIPA is valid, just follow steps in the text.

Comment 7 Xiyang Dong 2014-01-21 14:25:07 UTC

Hi Petr ,
I still got refused when doing the update. Below are my steps:

[root@70master ~]# kinit admin
Password for admin: 
[root@70master ~]# testZone=example.com
[root@70master ~]# ipa dnszone-add $testZone --admin-email=hostmaster.$testZone --name-server=ns --ip-address=127.0.0.1
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390313346
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self
                      * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@70master ~]# testReverseZone=3.2.1.in-addr.arpa.
[root@70master ~]# ipa dnszone-add $testReverseZone --admin-email=hostmaster.$testReverseZone --name-server=ns.$testZone.
  Zone name: 3.2.1.in-addr.arpa.
  Authoritative nameserver: ns.example.com.
  Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
  SOA serial: 1390313374
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
 [root@70master ~]# ipa dnsrecord-add $testZone test --a-rec=1.2.3.4 --a-create-reverse
  Record name: test
  A record: 1.2.3.4
[root@70master ~]# ipa dnsrecord-add $testReverseZone 4 --txt-rec=text
  Record name: 4
  PTR record: test.example.com.
  TXT record: text

[root@70master ~]# ipa dnszone-mod $testZone --dynamic-update=TRUE
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390313485
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
[root@70master ~]# testRelm=TESTRELM.COM
[root@70master ~]# ipa dnszone-mod $testZone --update-policy='grant $testRelm krb5-self * A; grant $testRelm krb5-self * AAAA; grant $testRelm krb5-self * SSHFP;'
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390313485
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant $testRelm krb5-self * A; grant $testRelm krb5-self *
                      AAAA; grant $testRelm krb5-self * SSHFP;
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
[root@70master ~]# ipa dnszone-mod $testZone --allow-sync-ptr=TRUE
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390313485
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
  Allow PTR sync: TRUE
[root@70master ~]# ipa dnszone-mod $testReverseZone --dynamic-update=TRUE
  Zone name: 3.2.1.in-addr.arpa.
  Authoritative nameserver: ns.example.com.
  Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
  SOA serial: 1390313492
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;

 [root@70master ~]# ipa host-add test.$testZone
-----------------------------
Added host "test.example.com"
-----------------------------
  Host name: test.example.com
  Principal name: host/test.example.com
  Password: False
  Keytab: False
  Managed by: test.example.com
[root@70master ~]# TmpDir=/tmp
[root@70master ~]# MASTER=`hostname`
[root@70master ~]# ipa-getkeytab -s $MASTER -p host/test.$testZone@$testRelm -k $TmpDir/bz958140.keytab
Keytab successfully retrieved and stored in: /tmp/bz958140.keytab

[root@70master ~]#         cat > $TmpDir/nsupdate.txt << EOF
> debug
> update delete test.$testZone IN A 1.2.3.4
> send
> EOF
[root@70master ~]# 
[root@70master ~]# kinit -k -t $TmpDir/bz958140.keytab host/test.$testZone

[root@70master ~]# nsupdate -g $TmpDir/nsupdate.txt
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  50755
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.example.com.		IN	SOA

;; AUTHORITY SECTION:
example.com.		3600	IN	SOA	70master.testrelm.com. hostmaster.example.com. 1390313485 3600 900 1209600 3600

Found zone name: example.com
The master is: 70master.testrelm.com
start_gssrequest
Found realm from ticket: TESTRELM.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  58456
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2624493634.sig-70master.testrelm.com. ANY TKEY

;; ADDITIONAL SECTION:
2624493634.sig-70master.testrelm.com. 0	ANY TKEY gss-tsig. 1390313831 1390313831 3 NOERROR 643 YIICfwYJKoZIhvcSAQICAQBuggJuMIICaqADAgEFoQMCAQ6iBwMFACAA AACjggFwYYIBbDCCAWigAwIBBaEOGwxURVNUUkVMTS5DT02iJzAloAMC AQGhHjAcGwNETlMbFTcwbWFzdGVyLnRlc3RyZWxtLmNvbaOCASYwggEi oAMCARKhAwIBAqKCARQEggEQzcPnhE8mVNZEUZ5xlt/gJTXITCpjkM+S 6RFUrzoeunEo6EyghjHkzlTfobNwjiyuuXm6R4wr0rYlfeiqn6H3/Ivr hYI2BvUFWrrW8cBxvj4FcJrDU4ytuaeftqa8YVjq3dc8A99TWQVlHwtX wVXdJa7hP2GMT7nsH47MhIViDUOW/CjDnTvPeyM0O94o1EqptU0I5mbE oABb+SUVuaKksJdHX6idB2MKp98uZ2ls4p+AvC/40FmMVyiAuZUJDbZ1 jaKxAHeyEpvI5f+/1oZztfApbZZynRQWxGioYVilE02LW6MeFOAqkiKr ABcO6Aip3MWDw8v9OSBn6dxzENJSGLnCsM1daZ4Y7TsuHhofCTakgeAw gd2gAwIBEqKB1QSB0vB/P8QLYf83oeqENUk2YHleVHIVE1KrQ+g+2mao xTGv1rvKrG9oGTKieuiAos5cmATvW1H3bzoTFHS6XG0vOnZs3Ti1yZbq hlvjUtzk1Bd4hWYjzqmalAnV/kpRlC7Pk8OE6xJLihACNJLm8jFeDSTt /Z1GW50/dm6jhjY744bpMj0Ie/GbmXvGOPMnghYYgcCeuW9THwVUqzj/ ozd5PjvGdaRQ4W615szI8B3B+pDclrI/DtRkX6t7qHuwIKovPHMUwqYz iRIJyEbcYFDiIlg9uA== 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  58456
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2624493634.sig-70master.testrelm.com. ANY TKEY

;; ANSWER SECTION:
2624493634.sig-70master.testrelm.com. 0	ANY TKEY gss-tsig. 1390313831 1390317431 3 NOERROR 156 YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKi cQRvfzKND0CB5oRT9ib9K10A6o+9Xr5NEBFuYbPPZzNfK7984kn6nj/P 7KLUtqwN6Mn09UMOJ2azd+uehW3eS4/U/5SxOA63VjhkWn6/V94Dblvk cz6s1+waKsPUg5mxmFskd6iz2MNFfRkqZ9J1hiFV 0

Sending update to 10.18.57.215#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   3143
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
test.example.com.	0	NONE	A	1.2.3.4

;; TSIG PSEUDOSECTION:
2624493634.sig-70master.testrelm.com. 0	ANY TSIG gss-tsig. 1390313831 300 28 BAQE//////8AAAAAK8jvItMJYqplk3YdBpnjGw== 3143 NOERROR 0 


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:   3143
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.			IN	SOA

;; TSIG PSEUDOSECTION:
2624493634.sig-70master.testrelm.com. 0	ANY TSIG gss-tsig. 1390313831 300 28 BAQF//////8AAAAAD2rPc0YMT/GjtdLMYR0Gpg== 3143 NOERROR 0 


in /var/log/messages:
Jan 21 09:17:11 70master named[28475]: client 10.18.57.215#38837/key host/test.example.com\@TESTRELM.COM: updating zone 'example.com/IN': update failed: rejected by secure update (REFUSED)

Comment 8 Petr Spacek 2014-01-21 14:59:07 UTC

(In reply to Xiyang Dong from comment #7)
> [root@70master ~]# ipa dnszone-mod $testZone --update-policy='grant
> $testRelm krb5-self * A; grant $testRelm krb5-self * AAAA; grant $testRelm
> krb5-self * SSHFP;'
>   Zone name: example.com
...
>   BIND update policy: grant $testRelm krb5-self * A; grant $testRelm
> krb5-self *
>                       AAAA; grant $testRelm krb5-self * SSHFP;

Note that $testRelm was not expanded so BIND can't possibly match client's realm to string "$testRelm".

Rest of the configuration seems fine, please retry the test with expanded $testRelm variable.

Have a nice day!

Comment 9 Xiyang Dong 2014-01-21 15:47:27 UTC

Verified on :
ipa-server-3.3.3-6.el7.x86_64
bind-dyndb-ldap-3.5-2.el7.x86_64

[root@70master ~]# kinit admin
Password for admin: 
[root@70master ~]# testZone=example.com
[root@70master ~]# ipa dnszone-add $testZone --admin-email=hostmaster.$testZone --name-server=ns --ip-address=127.0.0.1
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390313346
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self
                      * AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@70master ~]# testReverseZone=3.2.1.in-addr.arpa.
[root@70master ~]# ipa dnszone-add $testReverseZone --admin-email=hostmaster.$testReverseZone --name-server=ns.$testZone.
  Zone name: 3.2.1.in-addr.arpa.
  Authoritative nameserver: ns.example.com.
  Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
  SOA serial: 1390313374
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
 [root@70master ~]# ipa dnsrecord-add $testZone test --a-rec=1.2.3.4 --a-create-reverse
  Record name: test
  A record: 1.2.3.4
[root@70master ~]# ipa dnsrecord-add $testReverseZone 4 --txt-rec=text
  Record name: 4
  PTR record: test.example.com.
  TXT record: text

[root@70master ~]# ipa dnszone-mod $testZone --dynamic-update=TRUE
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390313485
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
[root@70master ~]# testRealm=TESTRELM.COM
[root@70master ~]# ipa dnszone-mod $testZone --update-policy="grant $testRealm krb5-self * A; grant $testRealm krb5-self * AAAA; grant $testRealm krb5-self * SSHFP;"
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390313485
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self *
                      AAAA; grant TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
[root@70master ~]# ipa dnszone-mod $testZone --allow-sync-ptr=TRUE
  Zone name: example.com
  Authoritative nameserver: ns
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1390313485
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
  Allow PTR sync: TRUE
[root@70master ~]# ipa dnszone-mod $testReverseZone --dynamic-update=TRUE
  Zone name: 3.2.1.in-addr.arpa.
  Authoritative nameserver: ns.example.com.
  Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
  SOA serial: 1390313492
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;

 [root@70master ~]# ipa host-add test.$testZone
-----------------------------
Added host "test.example.com"
-----------------------------
  Host name: test.example.com
  Principal name: host/test.example.com
  Password: False
  Keytab: False
  Managed by: test.example.com
[root@70master ~]# TmpDir=/tmp
[root@70master ~]# MASTER=`hostname`
[root@70master ~]# ipa-getkeytab -s $MASTER -p host/test.$testZone@$testRelm -k $TmpDir/bz958140.keytab
Keytab successfully retrieved and stored in: /tmp/bz958140.keytab

[root@70master ~]#         cat > $TmpDir/nsupdate.txt << EOF
> debug
> update delete test.$testZone IN A 1.2.3.4
> send
> EOF
[root@70master ~]# 
[root@70master ~]# kinit -k -t $TmpDir/bz958140.keytab host/test.$testZone
[root@70master ~]# nsupdate -g $TmpDir/nsupdate.txt
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  39788
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.example.com.		IN	SOA

;; AUTHORITY SECTION:
example.com.		3600	IN	SOA	70master.testrelm.com. hostmaster.example.com. 1390317899 3600 900 1209600 3600

Found zone name: example.com
The master is: 70master.testrelm.com
start_gssrequest
Found realm from ticket: TESTRELM.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  31724
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;355206154.sig-70master.testrelm.com. ANY TKEY

;; ADDITIONAL SECTION:
355206154.sig-70master.testrelm.com. 0 ANY TKEY	gss-tsig. 1390318478 1390318478 3 NOERROR 643 YIICfwYJKoZIhvcSAQICAQBuggJuMIICaqADAgEFoQMCAQ6iBwMFACAA AACjggFwYYIBbDCCAWigAwIBBaEOGwxURVNUUkVMTS5DT02iJzAloAMC AQGhHjAcGwNETlMbFTcwbWFzdGVyLnRlc3RyZWxtLmNvbaOCASYwggEi oAMCARKhAwIBAqKCARQEggEQXdTDTYvv7mulLQ4IBkKWPvwQAzIs/Myn R5iatrlIqN11JHs3VLLHTHUQd8M8Sb9V2TRR5KAXUeVD7nDwW1YAzTly rUEQWMFJzTO6pdzF3h96EWaKPafXZdH7IXhIgC5egr81eBYMRqpUH0U6 M4H6tg4zIFB5NxSrJ5TidihN95m+urToj+jXrcAhgmn2I35e5UkVxwrH tqBLYzjypW7DwtGyXrFZB3YT2FhFjHGSrTegEzW/fOdTuiwB1n3GmvJO bUXSk7OOqf7DdNSGatKHizmMb5Me3P80Qs8Zn0Y9S2DTJF9JrMdeBW4V G+qj2or3k1sPgYdaPNKXlNIoOU52HNwKtHKiOpHrZUtgZuBQtXqkgeAw gd2gAwIBEqKB1QSB0vIhiVCR8aYjHRWZqrJkPFkkP6u5jzcR8lOZ2Ac5 Np2gi0aex57oF1e+cCcSRJGUCn+XESlU5Y53bg2LKRUSItEQLQBuLI9b 3nLXwwdK0FUt6InJh/e20TFL2V8s4l+zuy9CxsgGupX2dQYRQAkjNzJZ pwth6IGytJaOIMSxGa+HCUF9q65Btibxzx4L7/oooHYKcrPXSnRiW05w RYAb9sFxqdH0n2TQrtQPP3hD0nDQ+zXP5skBCcoZA8xLoy0i/22lmPIS ODUwetJ63KIn0JFQnw== 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  31724
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;355206154.sig-70master.testrelm.com. ANY TKEY

;; ANSWER SECTION:
355206154.sig-70master.testrelm.com. 0 ANY TKEY	gss-tsig. 1390318478 1390322078 3 NOERROR 156 YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKi cQRveDxq7D8QZV56dSegp0Nxv3lIYfm2hUJ2rHbgOAo7r5OPlGtCE+PD nd8Y25bl+60evNPS25swKd8Wcqwfl4Aq/6tEi8n8UIDzMAMOLU0OyWq3 35JAHKZ1P8pjCKb0vliO33qoWM8kLFVXYb1TMR7R 0

Sending update to 10.18.57.215#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  34291
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
test.example.com.	0	NONE	A	1.2.3.4

;; TSIG PSEUDOSECTION:
355206154.sig-70master.testrelm.com. 0 ANY TSIG	gss-tsig. 1390318478 300 28 BAQE//////8AAAAALePiKrb9/WJLq3X2PPHtDg== 34291 NOERROR 0 


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  34291
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.			IN	SOA

;; TSIG PSEUDOSECTION:
355206154.sig-70master.testrelm.com. 0 ANY TSIG	gss-tsig. 1390318478 300 28 BAQF//////8AAAAALjayzxxVVlemheMlUdZcrw== 34291 NOERROR 0 

[root@70master ~]# ipa dnsrecord-find $testZone 
  Record name: @
  NS record: ns

  Record name: _kerberos
  TXT record: TESTRELM.COM

  Record name: ns
  A record: 127.0.0.1
----------------------------
Number of entries returned 3
----------------------------

----------------------------
[root@70master ~]# ipa dnsrecord-find $testReverseZone 4
  Record name: 4
  TXT record: text
----------------------------
Number of entries returned 1
----------------------------

Comment 11 Ludek Smid 2014-06-13 10:32:29 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.