Bug 958140
| Summary: | PTR record synchronization deletes all data under reverse name | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
| Component: | bind-dyndb-ldap | Assignee: | Petr Spacek <pspacek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | mkosek, pspacek, xdong |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bind-dyndb-ldap-3.5-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 10:32:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Dmitri Pal
2013-04-30 13:23:33 UTC
Fixed upstream by commit 1c63c045b5238fb675b7a517876869bcace2cdab. When I delete the A record ,however it's reverse record did not get deleted.Is this a bug or if not ,could you provide the correct steps to verify ?
[root@70master ipa-ctl]# ipa dnszone-add example.com. --admin-email=hostmaster.example.com. --name-server=ns --ip-addr=127.0.0.1
Zone name: example.com.
Authoritative nameserver: ns
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1389813544
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM
krb5-self * SSHFP;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@70master ipa-ctl]# ipa dnszone-add 3.2.1.in-addr.arpa. --admin-email=hostmaster.3.2.1.in-addr.arpa. --name-server=ns.example.com.
Zone name: 3.2.1.in-addr.arpa.
Authoritative nameserver: ns.example.com.
Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
SOA serial: 1389817156
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant TESTRELM.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@70master ipa-ctl]# ipa dnsrecord-add example.com. test --a-rec=1.2.3.4 --a-create-reverse
Record name: test
A record: 1.2.3.4
[root@70master ipa-ctl]# dig test.example.com.
; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> test.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63180
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.example.com. IN A
;; ANSWER SECTION:
test.example.com. 86400 IN A 1.2.3.4
;; AUTHORITY SECTION:
example.com. 86400 IN NS ns.example.com.
;; ADDITIONAL SECTION:
ns.example.com. 86400 IN A 1.2.3.4
[root@70master ipa-ctl]# ipa dnsrecord-add 3.2.1.in-addr.arpa. 4 --txt-rec="text"
Record name: 4
PTR record: test.example.com.
TXT record: text
[root@70master ipa-ctl]# dig -x 1.2.3.4
; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> -x 1.2.3.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50379
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.3.2.1.in-addr.arpa. IN PTR
;; ANSWER SECTION:
4.3.2.1.in-addr.arpa. 86400 IN PTR test.example.com.
;; AUTHORITY SECTION:
3.2.1.in-addr.arpa. 86400 IN NS ns.example.com.
;; ADDITIONAL SECTION:
ns.example.com. 86400 IN A 127.0.0.1
[root@70master ipa-ctl]# ipa dnsrecord-del example.com. test --a-rec=1.2.3.4
---------------------
Deleted record "test"
---------------------
[root@70master ipa-ctl]# ipa dnsrecord-find example.com.
Record name: @
NS record: ns
Record name: _kerberos
TXT record: TESTRELM.COM
Record name: ns
A record: 127.0.0.1
----------------------------
Number of entries returned 3
----------------------------
[root@70master ipa-ctl]# ipa dnsrecord-find 3.2.1.in-addr.arpa.
Record name: 4
PTR record: test.example.com.
TXT record: text
Record name: @
NS record: ns.example.com.
[root@70master ipa-ctl]# dig -x 1.2.3.4
; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> -x 1.2.3.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2067
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.3.2.1.in-addr.arpa. IN PTR
;; ANSWER SECTION:
4.3.2.1.in-addr.arpa. 86400 IN PTR test.example.com.
;; AUTHORITY SECTION:
3.2.1.in-addr.arpa. 86400 IN NS ns.example.com.
;; ADDITIONAL SECTION:
ns.example.com. 86400 IN A 127.0.0.1
[root@70master ipa-ctl]# dig -x 1.2.3.4 -t TXT
; <<>> DiG 9.9.4-RedHat-9.9.4-9.el7 <<>> -x 1.2.3.4 -t TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6236
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.3.2.1.in-addr.arpa. IN TXT
;; ANSWER SECTION:
4.3.2.1.in-addr.arpa. 86400 IN TXT "text"
;; AUTHORITY SECTION:
3.2.1.in-addr.arpa. 86400 IN NS ns.example.com.
;; ADDITIONAL SECTION:
ns.example.com. 86400 IN A 127.0.0.1
You have to enable PTR record synchronization and use 'nsupdate -g' to do updates. I'm sorry that it is not clear from the bug description. PTR record synchronization is described at: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR after checking PTR record sync doc I found:
Forward and reverse zones are hosted on the same server inside the same bind-dyndb-ldap instance.
Both zones are managed by bind-dyndb-ldap driver declared in the one dynamic-db section of /etc/named.conf.
Say my machine is 70master.testrelm.com and right now named.conf is:
...
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket";
arg "base cn=dns, dc=testrelm,dc=com";
arg "fake_mname 70master.testrelm.com.";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/70master.testrelm.com";
arg "serial_autoincrement yes";
};
If I want to set up test.sample.com. and with A record 1.2.3.4 for testing,
What it the correct config for both zones sample.com. and 3.2.1.in-addr.arpa. in dynamic-db part ?
and for this config requirement:
FreeIPA's default update policy for forward zones is: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; where EXAMPLE.COM is your Kerberos REALM.
my current kerberos REALM is TESTRELM.COM ,so I need to temporarily change it to EXAMPLE.COM for this test and then change it back?
(In reply to Xiyang Dong from comment #5) > If I want to set up test.sample.com. and with A record 1.2.3.4 for testing, > What it the correct config for both zones sample.com. and > 3.2.1.in-addr.arpa. in dynamic-db part ? The original configuration in named.conf is perfectly fine, use only IPA CLI for configuration if you don't need something special. > and for this config requirement: > FreeIPA's default update policy for forward zones is: grant EXAMPLE.COM > krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM > krb5-self * SSHFP; where EXAMPLE.COM is your Kerberos REALM. > > my current kerberos REALM is TESTRELM.COM ,so I need to temporarily change > it to EXAMPLE.COM for this test and then change it back? EXAMPLE.COM should be automatically replaced by IPA installer, you should see TESTRELM.COM in the output from $ ipa dnszone-show --all <yourzone> Default policy is automatically added to new DNS zones so you don't need to touch it. Configuration described https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR#QuickConfigurationforFreeIPA is valid, just follow steps in the text. Hi Petr ,
I still got refused when doing the update. Below are my steps:
[root@70master ~]# kinit admin
Password for admin:
[root@70master ~]# testZone=example.com
[root@70master ~]# ipa dnszone-add $testZone --admin-email=hostmaster.$testZone --name-server=ns --ip-address=127.0.0.1
Zone name: example.com
Authoritative nameserver: ns
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1390313346
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self
* AAAA; grant TESTRELM.COM krb5-self * SSHFP;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@70master ~]# testReverseZone=3.2.1.in-addr.arpa.
[root@70master ~]# ipa dnszone-add $testReverseZone --admin-email=hostmaster.$testReverseZone --name-server=ns.$testZone.
Zone name: 3.2.1.in-addr.arpa.
Authoritative nameserver: ns.example.com.
Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
SOA serial: 1390313374
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant TESTRELM.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@70master ~]# ipa dnsrecord-add $testZone test --a-rec=1.2.3.4 --a-create-reverse
Record name: test
A record: 1.2.3.4
[root@70master ~]# ipa dnsrecord-add $testReverseZone 4 --txt-rec=text
Record name: 4
PTR record: test.example.com.
TXT record: text
[root@70master ~]# ipa dnszone-mod $testZone --dynamic-update=TRUE
Zone name: example.com
Authoritative nameserver: ns
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1390313485
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
[root@70master ~]# testRelm=TESTRELM.COM
[root@70master ~]# ipa dnszone-mod $testZone --update-policy='grant $testRelm krb5-self * A; grant $testRelm krb5-self * AAAA; grant $testRelm krb5-self * SSHFP;'
Zone name: example.com
Authoritative nameserver: ns
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1390313485
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant $testRelm krb5-self * A; grant $testRelm krb5-self *
AAAA; grant $testRelm krb5-self * SSHFP;
Active zone: TRUE
Allow query: any;
Allow transfer: none;
[root@70master ~]# ipa dnszone-mod $testZone --allow-sync-ptr=TRUE
Zone name: example.com
Authoritative nameserver: ns
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1390313485
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
[root@70master ~]# ipa dnszone-mod $testReverseZone --dynamic-update=TRUE
Zone name: 3.2.1.in-addr.arpa.
Authoritative nameserver: ns.example.com.
Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
SOA serial: 1390313492
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
[root@70master ~]# ipa host-add test.$testZone
-----------------------------
Added host "test.example.com"
-----------------------------
Host name: test.example.com
Principal name: host/test.example.com
Password: False
Keytab: False
Managed by: test.example.com
[root@70master ~]# TmpDir=/tmp
[root@70master ~]# MASTER=`hostname`
[root@70master ~]# ipa-getkeytab -s $MASTER -p host/test.$testZone@$testRelm -k $TmpDir/bz958140.keytab
Keytab successfully retrieved and stored in: /tmp/bz958140.keytab
[root@70master ~]# cat > $TmpDir/nsupdate.txt << EOF
> debug
> update delete test.$testZone IN A 1.2.3.4
> send
> EOF
[root@70master ~]#
[root@70master ~]# kinit -k -t $TmpDir/bz958140.keytab host/test.$testZone
[root@70master ~]# nsupdate -g $TmpDir/nsupdate.txt
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50755
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.example.com. IN SOA
;; AUTHORITY SECTION:
example.com. 3600 IN SOA 70master.testrelm.com. hostmaster.example.com. 1390313485 3600 900 1209600 3600
Found zone name: example.com
The master is: 70master.testrelm.com
start_gssrequest
Found realm from ticket: TESTRELM.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58456
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2624493634.sig-70master.testrelm.com. ANY TKEY
;; ADDITIONAL SECTION:
2624493634.sig-70master.testrelm.com. 0 ANY TKEY gss-tsig. 1390313831 1390313831 3 NOERROR 643 YIICfwYJKoZIhvcSAQICAQBuggJuMIICaqADAgEFoQMCAQ6iBwMFACAA AACjggFwYYIBbDCCAWigAwIBBaEOGwxURVNUUkVMTS5DT02iJzAloAMC AQGhHjAcGwNETlMbFTcwbWFzdGVyLnRlc3RyZWxtLmNvbaOCASYwggEi oAMCARKhAwIBAqKCARQEggEQzcPnhE8mVNZEUZ5xlt/gJTXITCpjkM+S 6RFUrzoeunEo6EyghjHkzlTfobNwjiyuuXm6R4wr0rYlfeiqn6H3/Ivr hYI2BvUFWrrW8cBxvj4FcJrDU4ytuaeftqa8YVjq3dc8A99TWQVlHwtX wVXdJa7hP2GMT7nsH47MhIViDUOW/CjDnTvPeyM0O94o1EqptU0I5mbE oABb+SUVuaKksJdHX6idB2MKp98uZ2ls4p+AvC/40FmMVyiAuZUJDbZ1 jaKxAHeyEpvI5f+/1oZztfApbZZynRQWxGioYVilE02LW6MeFOAqkiKr ABcO6Aip3MWDw8v9OSBn6dxzENJSGLnCsM1daZ4Y7TsuHhofCTakgeAw gd2gAwIBEqKB1QSB0vB/P8QLYf83oeqENUk2YHleVHIVE1KrQ+g+2mao xTGv1rvKrG9oGTKieuiAos5cmATvW1H3bzoTFHS6XG0vOnZs3Ti1yZbq hlvjUtzk1Bd4hWYjzqmalAnV/kpRlC7Pk8OE6xJLihACNJLm8jFeDSTt /Z1GW50/dm6jhjY744bpMj0Ie/GbmXvGOPMnghYYgcCeuW9THwVUqzj/ ozd5PjvGdaRQ4W615szI8B3B+pDclrI/DtRkX6t7qHuwIKovPHMUwqYz iRIJyEbcYFDiIlg9uA== 0
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58456
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2624493634.sig-70master.testrelm.com. ANY TKEY
;; ANSWER SECTION:
2624493634.sig-70master.testrelm.com. 0 ANY TKEY gss-tsig. 1390313831 1390317431 3 NOERROR 156 YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKi cQRvfzKND0CB5oRT9ib9K10A6o+9Xr5NEBFuYbPPZzNfK7984kn6nj/P 7KLUtqwN6Mn09UMOJ2azd+uehW3eS4/U/5SxOA63VjhkWn6/V94Dblvk cz6s1+waKsPUg5mxmFskd6iz2MNFfRkqZ9J1hiFV 0
Sending update to 10.18.57.215#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 3143
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
test.example.com. 0 NONE A 1.2.3.4
;; TSIG PSEUDOSECTION:
2624493634.sig-70master.testrelm.com. 0 ANY TSIG gss-tsig. 1390313831 300 28 BAQE//////8AAAAAK8jvItMJYqplk3YdBpnjGw== 3143 NOERROR 0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 3143
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com. IN SOA
;; TSIG PSEUDOSECTION:
2624493634.sig-70master.testrelm.com. 0 ANY TSIG gss-tsig. 1390313831 300 28 BAQF//////8AAAAAD2rPc0YMT/GjtdLMYR0Gpg== 3143 NOERROR 0
in /var/log/messages:
Jan 21 09:17:11 70master named[28475]: client 10.18.57.215#38837/key host/test.example.com\@TESTRELM.COM: updating zone 'example.com/IN': update failed: rejected by secure update (REFUSED)
(In reply to Xiyang Dong from comment #7) > [root@70master ~]# ipa dnszone-mod $testZone --update-policy='grant > $testRelm krb5-self * A; grant $testRelm krb5-self * AAAA; grant $testRelm > krb5-self * SSHFP;' > Zone name: example.com ... > BIND update policy: grant $testRelm krb5-self * A; grant $testRelm > krb5-self * > AAAA; grant $testRelm krb5-self * SSHFP; Note that $testRelm was not expanded so BIND can't possibly match client's realm to string "$testRelm". Rest of the configuration seems fine, please retry the test with expanded $testRelm variable. Have a nice day! Verified on :
ipa-server-3.3.3-6.el7.x86_64
bind-dyndb-ldap-3.5-2.el7.x86_64
[root@70master ~]# kinit admin
Password for admin:
[root@70master ~]# testZone=example.com
[root@70master ~]# ipa dnszone-add $testZone --admin-email=hostmaster.$testZone --name-server=ns --ip-address=127.0.0.1
Zone name: example.com
Authoritative nameserver: ns
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1390313346
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self
* AAAA; grant TESTRELM.COM krb5-self * SSHFP;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@70master ~]# testReverseZone=3.2.1.in-addr.arpa.
[root@70master ~]# ipa dnszone-add $testReverseZone --admin-email=hostmaster.$testReverseZone --name-server=ns.$testZone.
Zone name: 3.2.1.in-addr.arpa.
Authoritative nameserver: ns.example.com.
Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
SOA serial: 1390313374
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant TESTRELM.COM krb5-subdomain 3.2.1.in-addr.arpa. PTR;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@70master ~]# ipa dnsrecord-add $testZone test --a-rec=1.2.3.4 --a-create-reverse
Record name: test
A record: 1.2.3.4
[root@70master ~]# ipa dnsrecord-add $testReverseZone 4 --txt-rec=text
Record name: 4
PTR record: test.example.com.
TXT record: text
[root@70master ~]# ipa dnszone-mod $testZone --dynamic-update=TRUE
Zone name: example.com
Authoritative nameserver: ns
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1390313485
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
[root@70master ~]# testRealm=TESTRELM.COM
[root@70master ~]# ipa dnszone-mod $testZone --update-policy="grant $testRealm krb5-self * A; grant $testRealm krb5-self * AAAA; grant $testRealm krb5-self * SSHFP;"
Zone name: example.com
Authoritative nameserver: ns
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1390313485
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self *
AAAA; grant TESTRELM.COM krb5-self * SSHFP;
Active zone: TRUE
Allow query: any;
Allow transfer: none;
[root@70master ~]# ipa dnszone-mod $testZone --allow-sync-ptr=TRUE
Zone name: example.com
Authoritative nameserver: ns
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1390313485
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
[root@70master ~]# ipa dnszone-mod $testReverseZone --dynamic-update=TRUE
Zone name: 3.2.1.in-addr.arpa.
Authoritative nameserver: ns.example.com.
Administrator e-mail address: hostmaster.3.2.1.in-addr.arpa.
SOA serial: 1390313492
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
[root@70master ~]# ipa host-add test.$testZone
-----------------------------
Added host "test.example.com"
-----------------------------
Host name: test.example.com
Principal name: host/test.example.com
Password: False
Keytab: False
Managed by: test.example.com
[root@70master ~]# TmpDir=/tmp
[root@70master ~]# MASTER=`hostname`
[root@70master ~]# ipa-getkeytab -s $MASTER -p host/test.$testZone@$testRelm -k $TmpDir/bz958140.keytab
Keytab successfully retrieved and stored in: /tmp/bz958140.keytab
[root@70master ~]# cat > $TmpDir/nsupdate.txt << EOF
> debug
> update delete test.$testZone IN A 1.2.3.4
> send
> EOF
[root@70master ~]#
[root@70master ~]# kinit -k -t $TmpDir/bz958140.keytab host/test.$testZone
[root@70master ~]# nsupdate -g $TmpDir/nsupdate.txt
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39788
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.example.com. IN SOA
;; AUTHORITY SECTION:
example.com. 3600 IN SOA 70master.testrelm.com. hostmaster.example.com. 1390317899 3600 900 1209600 3600
Found zone name: example.com
The master is: 70master.testrelm.com
start_gssrequest
Found realm from ticket: TESTRELM.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31724
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;355206154.sig-70master.testrelm.com. ANY TKEY
;; ADDITIONAL SECTION:
355206154.sig-70master.testrelm.com. 0 ANY TKEY gss-tsig. 1390318478 1390318478 3 NOERROR 643 YIICfwYJKoZIhvcSAQICAQBuggJuMIICaqADAgEFoQMCAQ6iBwMFACAA AACjggFwYYIBbDCCAWigAwIBBaEOGwxURVNUUkVMTS5DT02iJzAloAMC AQGhHjAcGwNETlMbFTcwbWFzdGVyLnRlc3RyZWxtLmNvbaOCASYwggEi oAMCARKhAwIBAqKCARQEggEQXdTDTYvv7mulLQ4IBkKWPvwQAzIs/Myn R5iatrlIqN11JHs3VLLHTHUQd8M8Sb9V2TRR5KAXUeVD7nDwW1YAzTly rUEQWMFJzTO6pdzF3h96EWaKPafXZdH7IXhIgC5egr81eBYMRqpUH0U6 M4H6tg4zIFB5NxSrJ5TidihN95m+urToj+jXrcAhgmn2I35e5UkVxwrH tqBLYzjypW7DwtGyXrFZB3YT2FhFjHGSrTegEzW/fOdTuiwB1n3GmvJO bUXSk7OOqf7DdNSGatKHizmMb5Me3P80Qs8Zn0Y9S2DTJF9JrMdeBW4V G+qj2or3k1sPgYdaPNKXlNIoOU52HNwKtHKiOpHrZUtgZuBQtXqkgeAw gd2gAwIBEqKB1QSB0vIhiVCR8aYjHRWZqrJkPFkkP6u5jzcR8lOZ2Ac5 Np2gi0aex57oF1e+cCcSRJGUCn+XESlU5Y53bg2LKRUSItEQLQBuLI9b 3nLXwwdK0FUt6InJh/e20TFL2V8s4l+zuy9CxsgGupX2dQYRQAkjNzJZ pwth6IGytJaOIMSxGa+HCUF9q65Btibxzx4L7/oooHYKcrPXSnRiW05w RYAb9sFxqdH0n2TQrtQPP3hD0nDQ+zXP5skBCcoZA8xLoy0i/22lmPIS ODUwetJ63KIn0JFQnw== 0
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31724
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;355206154.sig-70master.testrelm.com. ANY TKEY
;; ANSWER SECTION:
355206154.sig-70master.testrelm.com. 0 ANY TKEY gss-tsig. 1390318478 1390322078 3 NOERROR 156 YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKi cQRveDxq7D8QZV56dSegp0Nxv3lIYfm2hUJ2rHbgOAo7r5OPlGtCE+PD nd8Y25bl+60evNPS25swKd8Wcqwfl4Aq/6tEi8n8UIDzMAMOLU0OyWq3 35JAHKZ1P8pjCKb0vliO33qoWM8kLFVXYb1TMR7R 0
Sending update to 10.18.57.215#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 34291
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
test.example.com. 0 NONE A 1.2.3.4
;; TSIG PSEUDOSECTION:
355206154.sig-70master.testrelm.com. 0 ANY TSIG gss-tsig. 1390318478 300 28 BAQE//////8AAAAALePiKrb9/WJLq3X2PPHtDg== 34291 NOERROR 0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 34291
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com. IN SOA
;; TSIG PSEUDOSECTION:
355206154.sig-70master.testrelm.com. 0 ANY TSIG gss-tsig. 1390318478 300 28 BAQF//////8AAAAALjayzxxVVlemheMlUdZcrw== 34291 NOERROR 0
[root@70master ~]# ipa dnsrecord-find $testZone
Record name: @
NS record: ns
Record name: _kerberos
TXT record: TESTRELM.COM
Record name: ns
A record: 127.0.0.1
----------------------------
Number of entries returned 3
----------------------------
----------------------------
[root@70master ~]# ipa dnsrecord-find $testReverseZone 4
Record name: 4
TXT record: text
----------------------------
Number of entries returned 1
----------------------------
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |