Discussion:
[Freeipa-users] DNS update failing
Jason Sherrill
2017-05-10 16:38:43 UTC
Permalink
Hello,

I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
and Windows 10 with limited issues!

One issue is that updating the reverse zone via nsupdate works without
issue, updating to the forward zone results in a REFUSED status. Below is
my zone config, named.conf, and an example of client-side behavior. I'm
new to nearly all systems involved- misconfiguration is likely. Thanks!
# ipa dnszone-show int.dplcl.com --all


dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com

Zone name: int.dplcl.com.

Active zone: TRUE

Authoritative nameserver: ipa-1.int.dplcl.com.

Administrator e-mail address: hostmaster.int.dplcl.com.

SOA serial: 1494344164

SOA refresh: 3600

SOA retry: 900

SOA expire: 1209600

SOA minimum: 3600

BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant INT.DPLCL.COM
krb5-self * AAAA; grant INT.DPLCL.COM krb5-self *

SSHFP;

Dynamic update: TRUE

Allow query: any;

Allow transfer: none;

Allow PTR sync: TRUE

Allow in-line DNSSEC signing: FALSE

nsrecord: ipa-1.int.dplcl.com.

objectclass: idnszone, top, idnsrecord, ipadnszone

/etc/named.conf from IPA server:

options {

// turns on IPv6 for port 53, IPv4 is on by default for all ifaces

listen-on-v6 {any;};

// Put files that named is allowed to write in the data/ directory:

directory "/var/named"; // the default

dump-file "data/cache_dump.db";

statistics-file "data/named_stats.txt";

memstatistics-file "data/named_mem_stats.txt";

// Any host is permitted to issue recursive queries

allow-recursion { any; };

tkey-gssapi-keytab "/etc/named.keytab";

pid-file "/run/named/named.pid";

dnssec-enable no;

dnssec-validation no;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

};

/* If you want to enable debugging, eg. using the 'rndc trace' command,

* By default, SELinux policy does not allow named to modify the /var/named
directory,

* so put the default debug log file in data/ :

*/

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

print-time yes;

};

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

dynamic-db "ipa" {

library "ldap.so";

arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";

arg "base cn=dns, dc=int,dc=dplcl,dc=com";

arg "server_id ipa-1.int.dplcl.com";

arg "auth_method sasl";

arg "sasl_mech GSSAPI";

arg "sasl_user DNS/ipa-1.int.dplcl.com";

arg "serial_autoincrement yes";

};
testbook3:etc jsherrill$ nsupdate
debug
update add testbook3.int.dplcl.com 86400 a 10.0.1.36
Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;testbook3.int.dplcl.com. IN SOA

;; AUTHORITY SECTION:

int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494425173 3600 900 1209600 3600

Found zone name: int.dplcl.com

The master is: ipa-1.int.dplcl.com

Sending update to 10.0.1.5#53

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167

;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0

;; UPDATE SECTION:

testbook3.int.dplcl.com. 86400 IN A 10.0.1.36


Reply from update query:

;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167

;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; ZONE SECTION:
;int.dplcl.com. IN SOA
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
Martin Bašti
2017-05-11 08:09:19 UTC
Permalink
Post by Jason Sherrill
Hello,
I've recently implemented freeIPA in a mixed environment of Mac OS
10.12 and Windows 10 with limited issues!
One issue is that updating the reverse zone via nsupdate works without
issue, updating to the forward zone results in a REFUSED status. Below
is my zone config, named.conf, and an example of client-side
behavior. I'm new to nearly all systems involved- misconfiguration is
likely. Thanks!
# ipa dnszone-show int.dplcl.com <http://int.dplcl.com> --all
dn: idnsname=int.dplcl.com
<http://int.dplcl.com>.,cn=dns,dc=int,dc=dplcl,dc=com
Zone name: int.dplcl.com <http://int.dplcl.com>.
Active zone: TRUE
Authoritative nameserver: ipa-1.int.dplcl.com
<http://ipa-1.int.dplcl.com>.
Administrator e-mail address: hostmaster.int.dplcl.com
<http://hostmaster.int.dplcl.com>.
SOA serial: 1494344164
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant INT.DPLCL.COM <http://INT.DPLCL.COM>
krb5-self * A; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
krb5-self * AAAA; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
krb5-self *
SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
Allow in-line DNSSEC signing: FALSE
nsrecord: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>.
objectclass: idnszone, top, idnsrecord, ipadnszone
options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the
/var/named directory,
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca <http://named.ca>";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";
arg "base cn=dns, dc=int,dc=dplcl,dc=com";
arg "server_id ipa-1.int.dplcl.com
<http://ipa-1.int.dplcl.com>";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/ipa-1.int.dplcl.com
<http://ipa-1.int.dplcl.com>";
arg "serial_autoincrement yes";
};
testbook3:etc jsherrill$ nsupdate
debug
update add testbook3.int.dplcl.com <http://testbook3.int.dplcl.com> 86400 a
10.0.1.36
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.INSOA
int.dplcl.com <http://int.dplcl.com>.0INSOAipa-1.int.dplcl.com
<http://ipa-1.int.dplcl.com>. hostmaster.int.dplcl.com
<http://hostmaster.int.dplcl.com>. 1494425173 3600 900 1209600 3600
Found zone name: int.dplcl.com <http://int.dplcl.com>
The master is: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>
Sending update to 10.0.1.5#53
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.
86400INA10.0.1.36
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;int.dplcl.com <http://int.dplcl.com>.INSOA
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>
Hello,

DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so you
cannot use plain nsupdate without providing credentials

Here is policy, hosts can update only its records using GSS-TSIG (kerberos)

BIND update policy: grant INT.DPLCL.COM <http://INT.DPLCL.COM> krb5-self
* A; grant INT.DPLCL.COM <http://INT.DPLCL.COM> krb5-self * AAAA; grant
INT.DPLCL.COM <http://INT.DPLCL.COM> krb5-self *

SSHFP;

So for manual updates via nsupdate, you have to do following steps:

1, kinit -kt /etc/krb5.keytab

2, nsupdate -g

... update A records ...

I don't know why a reverse zone works for you, you should check policy
of the reverse zone.

Martin
--
Martin Bašti
Software Engineer
Red Hat Czech
Jason Sherrill
2017-05-12 13:04:08 UTC
Permalink
Mistakenly failed to post to freeipa-users.

---------- Forwarded message ----------
From: Jason Sherrill <***@deeplocal.com>
Date: Thu, May 11, 2017 at 9:16 AM
Subject: Re: [Freeipa-users] DNS update failing
To: Martin Bašti <***@redhat.com>


Thank you for the assistance, Martin. The reverse zone is working because
of a policy I'd added: grant * tcp-self *. The same entry did for the the
forward zone did not work. I ran the manual update as described and was
debug
update add testbook3.int.dplcl.com. 86400 a 10.0.1.36
Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;testbook3.int.dplcl.com. IN SOA

;; AUTHORITY SECTION:

int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494432187 3600 900 1209600 3600

Found zone name: int.dplcl.com

The master is: ipa-1.int.dplcl.com

start_gssrequest

Found realm from ticket: INT.DPLCL.COM

send_gssrequest

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY

;; ADDITIONAL SECTION:

3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****

recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945

;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY

;; ANSWER SECTION:

3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****

Sending update to 10.0.1.5#53

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230

;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1

;; UPDATE SECTION:

testbook3.int.dplcl.com. 86400 IN A 10.0.1.36

;; TSIG PSEUDOSECTION:

3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230 NOERROR
0


Reply from update query:

;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230

;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1

;; ZONE SECTION:

;int.dplcl.com. IN SOA

;; TSIG PSEUDOSECTION:

3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230 NOERROR
0
Hello,
I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
and Windows 10 with limited issues!
One issue is that updating the reverse zone via nsupdate works without
issue, updating to the forward zone results in a REFUSED status. Below is
my zone config, named.conf, and an example of client-side behavior. I'm
new to nearly all systems involved- misconfiguration is likely. Thanks!
# ipa dnszone-show int.dplcl.com --all
dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com
Zone name: int.dplcl.com.
Active zone: TRUE
Authoritative nameserver: ipa-1.int.dplcl.com.
Administrator e-mail address: hostmaster.int.dplcl.com.
SOA serial: 1494344164
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant
INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self *
SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
Allow in-line DNSSEC signing: FALSE
nsrecord: ipa-1.int.dplcl.com.
objectclass: idnszone, top, idnsrecord, ipadnszone
options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the /var/named
directory,
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";
arg "base cn=dns, dc=int,dc=dplcl,dc=com";
arg "server_id ipa-1.int.dplcl.com";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/ipa-1.int.dplcl.com";
arg "serial_autoincrement yes";
};
testbook3:etc jsherrill$ nsupdate
debug
update add testbook3.int.dplcl.com 86400 a 10.0.1.36
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;testbook3.int.dplcl.com. IN SOA
int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494425173 3600 900 1209600 3600
Found zone name: int.dplcl.com
The master is: ipa-1.int.dplcl.com
Sending update to 10.0.1.5#53
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;int.dplcl.com. IN SOA
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <%28412%29%20636-2073>
office: 412-362-0201 <%28412%29%20362-0201>
Hello,
DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so you
cannot use plain nsupdate without providing credentials
Here is policy, hosts can update only its records using GSS-TSIG (kerberos)
BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant INT.DPLCL.COM
krb5-self * AAAA; grant INT.DPLCL.COM krb5-self *
SSHFP;
1, kinit -kt /etc/krb5.keytab
2, nsupdate -g
... update A records ...
I don't know why a reverse zone works for you, you should check policy of
the reverse zone.
Martin
--
Martin Bašti
Software Engineer
Red Hat Czech
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
Martin Bašti
2017-05-12 13:27:03 UTC
Permalink
Hello, could you check journalctl -u named-pkcs11 on server, there might
be more detailed description why it failed. What do you have configured
in /etc/resolv.conf on client side, is there directly IP address of the
server?
Post by Jason Sherrill
Mistakenly failed to post to freeipa-users.
---------- Forwarded message ----------
Date: Thu, May 11, 2017 at 9:16 AM
Subject: Re: [Freeipa-users] DNS update failing
Thank you for the assistance, Martin. The reverse zone is working
because of a policy I'd added: grant * tcp-self *. The same entry did
for the the forward zone did not work. I ran the manual update as
described and was refused. It seems GSS-TSIG is working, but the
debug
update add testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>. 86400 a
10.0.1.36
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.INSOA
int.dplcl.com <http://int.dplcl.com>.3600INSOAipa-1.int.dplcl.com
<http://ipa-1.int.dplcl.com>. hostmaster.int.dplcl.com
<http://hostmaster.int.dplcl.com>. 1494432187 3600 900 1209600 3600
Found zone name: int.dplcl.com <http://int.dplcl.com>
The master is: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>
start_gssrequest
Found realm from ticket: INT.DPLCL.COM <http://INT.DPLCL.COM>
send_gssrequest
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;3601322568.sig-ipa-1.int.dplcl.com
<http://3601322568.sig-ipa-1.int.dplcl.com>. ANYTKEY
3601322568.sig-ipa-1.int.dplcl.com
<http://3601322568.sig-ipa-1.int.dplcl.com>. 0 ANY TKEYgss-tsig. ****
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;3601322568.sig-ipa-1.int.dplcl.com
<http://3601322568.sig-ipa-1.int.dplcl.com>. ANYTKEY
3601322568.sig-ipa-1.int.dplcl.com
<http://3601322568.sig-ipa-1.int.dplcl.com>. 0 ANY TKEYgss-tsig. ****
Sending update to 10.0.1.5#53
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.
86400INA10.0.1.36
3601322568.sig-ipa-1.int.dplcl.com
<http://3601322568.sig-ipa-1.int.dplcl.com>. 0 ANY TSIGgss-tsig.
**** 13230 NOERROR 0
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;int.dplcl.com <http://int.dplcl.com>.INSOA
3601322568.sig-ipa-1.int.dplcl.com
<http://3601322568.sig-ipa-1.int.dplcl.com>. 0 ANY TSIGgss-tsig.
****13230 NOERROR 0
Hello,
I've recently implemented freeIPA in a mixed environment of Mac
OS 10.12 and Windows 10 with limited issues!
One issue is that updating the reverse zone via nsupdate works
without issue, updating to the forward zone results in a REFUSED
status. Below is my zone config, named.conf, and an example of
client-side behavior. I'm new to nearly all systems involved-
misconfiguration is likely. Thanks!
# ipa dnszone-show int.dplcl.com <http://int.dplcl.com> --all
dn: idnsname=int.dplcl.com
<http://int.dplcl.com>.,cn=dns,dc=int,dc=dplcl,dc=com
Zone name: int.dplcl.com <http://int.dplcl.com>.
Active zone: TRUE
Authoritative nameserver: ipa-1.int.dplcl.com
<http://ipa-1.int.dplcl.com>.
Administrator e-mail address: hostmaster.int.dplcl.com
<http://hostmaster.int.dplcl.com>.
SOA serial: 1494344164
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant INT.DPLCL.COM
<http://INT.DPLCL.COM> krb5-self * A; grant INT.DPLCL.COM
<http://INT.DPLCL.COM> krb5-self * AAAA; grant INT.DPLCL.COM
<http://INT.DPLCL.COM> krb5-self *
SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
Allow in-line DNSSEC signing: FALSE
nsrecord: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>.
objectclass: idnszone, top, idnsrecord, ipadnszone
options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
// Put files that named is allowed to write in the
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify
the /var/named directory,
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca <http://named.ca>";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dynamic-db "ipa" {
library "ldap.so";
arg "uri
ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";
arg "base cn=dns, dc=int,dc=dplcl,dc=com";
arg "server_id ipa-1.int.dplcl.com
<http://ipa-1.int.dplcl.com>";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/ipa-1.int.dplcl.com
<http://ipa-1.int.dplcl.com>";
arg "serial_autoincrement yes";
};
testbook3:etc jsherrill$ nsupdate
debug
update add testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>
86400 a 10.0.1.36
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 0
;testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.INSOA
int.dplcl.com
<http://int.dplcl.com>.0INSOAipa-1.int.dplcl.com
<http://ipa-1.int.dplcl.com>. hostmaster.int.dplcl.com
<http://hostmaster.int.dplcl.com>. 1494425173 3600 900 1209600 3600
Found zone name: int.dplcl.com <http://int.dplcl.com>
The master is: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>
Sending update to 10.0.1.5#53
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.
86400INA10.0.1.36
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;int.dplcl.com <http://int.dplcl.com>.INSOA
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>
Hello,
DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so
you cannot use plain nsupdate without providing credentials
Here is policy, hosts can update only its records using GSS-TSIG (kerberos)
BIND update policy: grant INT.DPLCL.COM <http://INT.DPLCL.COM>
krb5-self * A; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
krb5-self * AAAA; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
krb5-self *
SSHFP;
1, kinit -kt /etc/krb5.keytab
2, nsupdate -g
... update A records ...
I don't know why a reverse zone works for you, you should check
policy of the reverse zone.
Martin
--
Martin Bašti
Software Engineer
Red Hat Czech
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>
--
Martin Bašti
Software Engineer
Red Hat Czech
Jason Sherrill
2017-05-12 14:34:59 UTC
Permalink
The following log entry from *named-pkcs11* coincides with update attempts
via nsupdate:


May 12 10:07:49 ipa-1.int.dplcl.com named-pkcs11[1350]: client
10.0.1.5#47261/key host/ipa-1.int.dplcl.com\@INT.DPLCL.COM: updating zone '
int.dplcl.com/IN': update failed: rejected by secure update (REFUSED)

The client is running macos X with network services configured to use
10.0.1.5 and the following /etc/resolv.conf:

search int.dplcl.com

nameserver 10.0.1.5

nameserver 8.8.8.8


Thanks!
Post by Martin Bašti
Hello, could you check journalctl -u named-pkcs11 on server, there might
be more detailed description why it failed. What do you have configured in
/etc/resolv.conf on client side, is there directly IP address of the server?
Mistakenly failed to post to freeipa-users.
---------- Forwarded message ----------
Date: Thu, May 11, 2017 at 9:16 AM
Subject: Re: [Freeipa-users] DNS update failing
Thank you for the assistance, Martin. The reverse zone is working because
of a policy I'd added: grant * tcp-self *. The same entry did for the the
forward zone did not work. I ran the manual update as described and was
debug
update add testbook3.int.dplcl.com. 86400 a 10.0.1.36
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;testbook3.int.dplcl.com. IN SOA
int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494432187 3600 900 1209600 3600
Found zone name: int.dplcl.com
The master is: ipa-1.int.dplcl.com
start_gssrequest
Found realm from ticket: INT.DPLCL.COM
send_gssrequest
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****
Sending update to 10.0.1.5#53
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230
NOERROR 0
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;int.dplcl.com. IN SOA
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230
NOERROR 0
Hello,
I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
and Windows 10 with limited issues!
One issue is that updating the reverse zone via nsupdate works without
issue, updating to the forward zone results in a REFUSED status. Below is
my zone config, named.conf, and an example of client-side behavior. I'm
new to nearly all systems involved- misconfiguration is likely. Thanks!
# ipa dnszone-show int.dplcl.com --all
dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com
Zone name: int.dplcl.com.
Active zone: TRUE
Authoritative nameserver: ipa-1.int.dplcl.com.
Administrator e-mail address: hostmaster.int.dplcl.com.
SOA serial: 1494344164
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant
INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self *
SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
Allow in-line DNSSEC signing: FALSE
nsrecord: ipa-1.int.dplcl.com.
objectclass: idnszone, top, idnsrecord, ipadnszone
options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the
/var/named directory,
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";
arg "base cn=dns, dc=int,dc=dplcl,dc=com";
arg "server_id ipa-1.int.dplcl.com";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/ipa-1.int.dplcl.com";
arg "serial_autoincrement yes";
};
testbook3:etc jsherrill$ nsupdate
debug
update add testbook3.int.dplcl.com 86400 a 10.0.1.36
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;testbook3.int.dplcl.com. IN SOA
int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494425173 3600 900 1209600 3600
Found zone name: int.dplcl.com
The master is: ipa-1.int.dplcl.com
Sending update to 10.0.1.5#53
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;int.dplcl.com.
...
[Message clipped]
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
Jason Sherrill
2017-05-12 14:49:46 UTC
Permalink
I apologize, nsupdate is working as intended, I was attempting to update a
client from the host ipa. I've a separate issue from clients when running

testbook3:etc jsherrill$ kinit -kt /etc/krb5.keytab


Thanks again!
Post by Jason Sherrill
The following log entry from *named-pkcs11* coincides with update
May 12 10:07:49 ipa-1.int.dplcl.com named-pkcs11[1350]: client
'int.dplcl.com/IN': update failed: rejected by secure update (REFUSED)
The client is running macos X with network services configured to use
search int.dplcl.com
nameserver 10.0.1.5
nameserver 8.8.8.8
Thanks!
Post by Martin Bašti
Hello, could you check journalctl -u named-pkcs11 on server, there might
be more detailed description why it failed. What do you have configured in
/etc/resolv.conf on client side, is there directly IP address of the server?
Mistakenly failed to post to freeipa-users.
---------- Forwarded message ----------
Date: Thu, May 11, 2017 at 9:16 AM
Subject: Re: [Freeipa-users] DNS update failing
Thank you for the assistance, Martin. The reverse zone is working because
of a policy I'd added: grant * tcp-self *. The same entry did for the the
forward zone did not work. I ran the manual update as described and was
debug
update add testbook3.int.dplcl.com. 86400 a 10.0.1.36
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;testbook3.int.dplcl.com. IN SOA
int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494432187 3600 900 1209600 3600
Found zone name: int.dplcl.com
The master is: ipa-1.int.dplcl.com
start_gssrequest
Found realm from ticket: INT.DPLCL.COM
send_gssrequest
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****
Sending update to 10.0.1.5#53
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230
NOERROR 0
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;int.dplcl.com. IN SOA
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230
NOERROR 0
Hello,
I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
and Windows 10 with limited issues!
One issue is that updating the reverse zone via nsupdate works without
issue, updating to the forward zone results in a REFUSED status. Below is
my zone config, named.conf, and an example of client-side behavior. I'm
new to nearly all systems involved- misconfiguration is likely. Thanks!
# ipa dnszone-show int.dplcl.com --all
dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com
Zone name: int.dplcl.com.
Active zone: TRUE
Authoritative nameserver: ipa-1.int.dplcl.com.
Administrator e-mail address: hostmaster.int.dplcl.com.
SOA serial: 1494344164
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant
INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self *
SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
Allow in-line DNSSEC signing: FALSE
nsrecord: ipa-1.int.dplcl.com.
objectclass: idnszone, top, idnsrecord, ipadnszone
options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the
/var/named directory,
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";
arg "base cn=dns, dc=int,dc=dplcl,dc=com";
arg "server_id ipa-1.int.dplcl.com";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/ipa-1.int.dplcl.com";
arg "serial_autoincrement yes";
};
testbook3:etc jsherrill$ nsupdate
debug
update add testbook3.int.dplcl.com 86400 a 10.0.1.36
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;testbook3.int.dplcl.com. IN SOA
int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494425173 3600 900 1209600 3600
Found zone name: int.dplcl.com
The master is: ipa-1.int.dplcl.com
Sending update to 10.0.1.5#53
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;int.dplcl.com.
...
[Message clipped]
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
Continue reading on narkive:
Loading...