I have a FreeIPA 4.2.0 installation on CentOS 7.2. I have managed to get dynamic DNS updates to work for a given forward zone but the reverse zone keeps returning NOTAUTH. Here are the two zone descriptions:
dn: idnsname=example.com.,cn=dns,dc=example,dc=com Zone name: example.com. Active zone: TRUE Authoritative nameserver: server.example.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 1464354354 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; grant linux_home_nsupdate wildcard * ANY; Dynamic update: TRUE Allow query: any; Allow transfer: 10.75.22.1; mxrecord: 200 linux nsrecord: server.example.com. objectclass: idnszone, top, idnsrecord txtrecord: "v=spf1 a:server.klug.on.ca" dn: idnsname=0.8.10.in-addr.arpa.,cn=dns,dc=example,dc=com Zone name: 0.8.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: server.example.com. Administrator e-mail address: hostmaster SOA serial: 1464354356 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.8.10.in-addr.arpa. PTR; grant linux_home_nsupdate wildcard * ANY; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: server.example.com. objectclass: idnszone, top, idnsrecord
Here are example updates to the two zones:
# nsupdate -y linux_home_nsupdate:<key> -d /tmp/fwdupdate Creating key... namefromtext keycreate Sending update to 10.75.22.247#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; UPDATE SECTION: chost.example.com. 0 ANY A chost.example.com. 60 IN A 10.8.0.2 ;; TSIG PSEUDOSECTION: linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355147 300 16 oRoIWfkmmmCKQWj9NrrRDw== 53154 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; TSIG PSEUDOSECTION: linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355225 300 16 3IVCZr+MjyD75sHr53LEHw== 53154 NOERROR 0 # nsupdate -y linux_home_nsupdate:<key> -d /tmp/revupdate Creating key... namefromtext keycreate Sending update to 10.75.22.247#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 26720 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;0.10.8.in-addr.arpa. IN SOA ;; UPDATE SECTION: 2.0.10.8.in-addr.arpa. 0 ANY PTR 2.0.10.8.in-addr.arpa. 60 IN PTR chost.example.com. ;; TSIG PSEUDOSECTION: linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355166 300 16 ooWRdNhQ1170LkSjIiCqSA== 26720 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 26720 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;0.10.8.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355244 300 16 N5Dg0rMokW9sNGGO9BwGNQ== 26720 NOERROR 0
When the first update is done the following is logged by named-pkcs11:
client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': deleting rrset at 'chost.example.com' A client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': adding an RR at 'chost.example.com' A
Nothing is logged for the second update attempt.
This turned out to be transposition of 2.0.8.10.in-addr.arpa. to 2.0.10.8.in-addr.arpa.
Metadata Update from @brianjmurrell: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Log in to comment on this ticket.