On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote:
On 28/10/2019 12:16, Alexander Bokovoy wrote:
> On ma, 28 loka 2019, lejeczek via FreeIPA-users wrote:
>> On 23/10/2019 12:28, lejeczek via FreeIPA-users wrote:
>>> hi everybody
>>>
>>> when I install a replica and have DNS use cname records to a classless
>>> zone I see:
>>>
>>> Configuring DNS (named)
>>> [1/8]: generating rndc key file
>>> [2/8]: setting up our own record
>>> [error] ValidationError: invalid 'cnamerecord': CNAME record is
not
>>> allowed to coexist with any other record (RFC 1034, section 3.6.2
>>> ..
>>>
>>> This happens if the replica has existing ptr record at the time of
>>> installation.
>>> If I remove ptr record for the replica from the parent reverse zone
>>> (all managed by the same IPA) then installation proceeds but should
>>> masters' records in reverse zone be in resolved with/via cnames in
>>> classless subnet? (which howto says it should -
>>>
https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation)
>>>
>>> Or should IPA be not hosting the parent zone if itself is in a
>>> classless IP subnet?
>>> It's bit confusing to me I confess.
>>>
>>> many thanks, L.
>>>
>>> _______________________________________________
>>>
>> Not even IPA's own devel would comment?
>>
>> Is what I wrote above somewhat unclear? Should I try to rephrase it
>> better?
>
> Yes, please provide more details, like examples of your DNS zone and
> records. The error message points you to RFC and concrete section about
> the problem already.
my IPA is locate in a classless subnet 10.5.5.128/25.
If I setup IPA with --reverse-zone=128/25.10.5.5.in-addr.arpa then
installer creates two rev zones:
128/25.10.5.5.in-addr.arpa & 10.5.5.in-addr.arpa
Now, if prior to subsequent masters installation I create PTR records
and I follow:
https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation
(which will make 10.5.5.in-addr.arpa use cnames) then when I install a
replica which already has PTR records I get:
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
[error] ValidationError: invalid 'cnamerecord': CNAME record is not
allowed to coexist with any other record (RFC 1034, section 3.6.2
..
What confuses me when I think about it - if I remove ptr(or rather
cname) record from the parent reverse zone (10.5.5.in-addr.arpa) then
installation proceeds of that subsequent masters proceeds okey and then
I think...
Should that mean that IPA should/can not be setup on/as classless subnet
the way that howto instructs?
Yes, this howto predates FreeIPA 3.2. The change was done in the
following commit that removed support for this:
commit 42c401a87795fe3a2067155460ae276ad2d3e360
Author: Martin Kosek <mkosek(a)redhat.com>
Date: Tue Apr 2 11:58:31 2013 +0200
Improve CNAME record validation
Refactor DNS RR conflict validator so that it is better extensible in
the future. Also check that there is only one CNAME defined for
a DNS record.
PTR+CNAME record combination is no longer allowed as we found out it
does not make sense to have this combination.
https://fedorahosted.org/freeipa/ticket/3450
I can change records in partent zone(to which IPA installers inserted
PTR records) to use cname and forward to 128/25.10.5.5.in-addr.arpa
later, and IPA seems to work okey, but... I was hoping for
no-doubts-clarification case that all makes me bit uncertain.
May be you could provide modification to the howto?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland