Learn more about these different git repos.
Other Git URLs
When creating a CAA RR using nsupdate, it will be saved in LDAP under the key UnknownRecord;type257, but when querying, it nothing is returned.
UnknownRecord;type257
If I create the record manually, but with UnknownRecord;type257record as key, it can be queried as expected.
UnknownRecord;type257record
I found this out after looking into the source code in src/ldap_convert.c (maybe there is something wrong with the prefix/suffix logic in the ldap_attribute_to_rdatatype method).
src/ldap_convert.c
ldap_attribute_to_rdatatype
I've only tried it with a single record in a single zone.
[root@ipa-1 ~]# kinit admin Password for admin@EXAMPLE.ORG:
grant admin@EXAMPLE.ORG name example.org. CAA;
[root@ipa-1 ~]# nsupdate -g > update add example.org. 3600 CAA 0 issue "letsencrypt.org" > send > quit
[root@ipa-1 ~]# ldapsearch -b idnsname=example.org.,cn=dns,dc=example,dc=org -s base ... # example.org., dns, example.org dn: idnsname=example.org.,cn=dns,dc=example,dc=org ... UnknownRecord;type257: \# 22 000569737375656C657473656E63727970742E6F7267 ...
dig
[root@ipa-1 ~]# dig example.org. CAA @localhost +short [root@ipa-1 ~]#
Attach any error messages or other suspicious information you see in logs. E.g. in /var/named/data/named.run or /var/log/messages.
When creating the record, the following message appears in the log:
Oct 11 22:02:03 ipa-1.example.org named-pkcs11[579516]: client @0x7f0cc003fd30 <IPADDRESS> #58223/key admin\@EXAMPLE:ORG: updating zone 'example.org/IN': adding an RR at 'example.org' CAA 0 issue "letsencrypt.org" Oct 11 22:02:03 ipa-1.example.org named-pkcs11[579516]: LDAP error: Insufficient access: Insufficient 'write' privilege to the 'caarecord' attribute of entry 'idnsname=example.org.,cn=dns,dc=example,dc=org'. : while modifying(add) entry 'idnsname=example.org.,cn=dns,dc=example,dc=org' Oct 11 22:02:03 ipa-1.example.org named-pkcs11[579516]: zone example.org/IN (signed): serial 1602446268 (unsigned 1602446268) Oct 11 22:02:03 ipa-1.example.org named-pkcs11[579516]: zone example.org/IN (signed): serial 1602446523 (unsigned 1602446523)
Despite the error message, the record has been created in LDAP (as UnknownRecord;type257 instead of caarecord, though). But when querying, it seems to doesn't exist (also no error message does appear while querying).
caarecord
Plugin version: bind-dyndb-ldap-11.3-2.fc32.x86_64
bind-dyndb-ldap-11.3-2.fc32.x86_64
Version of BIND: bind-9.11.22-1.fc32.x86_64
bind-9.11.22-1.fc32.x86_64
Distribution and version (i.e. including updates): Fedora release 32
Architecture: x86_64
Do you use bind-dyndb-ldap as part of FreeIPA installation? Yes: freeipa-server-dns-4.8.9-2.fc32.noarch
freeipa-server-dns-4.8.9-2.fc32.noarch
Include dyndb (dynamic-db) section from configuration file /etc/named.conf:
dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-EXAMPLE-ORG.socket"; base "cn=dns,dc=example,dc=org"; server_id "ipa-1.example.org"; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/ipa-1.example.org"; };
Do you have some other text based or DLZ zones configured? No
Do you have some global forwarders configured in BIND configuration file? No
Do you have some settings in global configuration object in LDAP? No
Login to comment on this ticket.