hi everybody when I install a replica and have DNS use cname records to a classless zone I see: Configuring DNS (named)   [1/8]: generating rndc key file   [2/8]: setting up our own record   [error] ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2 .. This happens if the replica has existing ptr record at the time of installation. If I remove ptr record for the replica from the parent reverse zone (all managed by the same IPA) then installation proceeds but should masters' records in reverse zone be in resolved with/via cnames in classless subnet? (which howto says it should - https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation) Or should IPA be not hosting the parent zone if itself is in a classless IP subnet? It's bit confusing to me I confess. many thanks, L. _______________________________________________

On ma, 28 loka 2019, lejeczek via FreeIPA-users wrote: > On 23/10/2019 12:28, lejeczek via FreeIPA-users wrote: >> hi everybody >> >> when I install a replica and have DNS use cname records to a classless >> zone I see: >> >> Configuring DNS (named) >>   [1/8]: generating rndc key file >>   [2/8]: setting up our own record >>   [error] ValidationError: invalid 'cnamerecord': CNAME record is not >> allowed to coexist with any other record (RFC 1034, section 3.6.2 >> .. >> >> This happens if the replica has existing ptr record at the time of >> installation. >> If I remove ptr record for the replica from the parent reverse zone >> (all managed by the same IPA) then installation proceeds but should >> masters' records in reverse zone be in resolved with/via cnames in >> classless subnet? (which howto says it should - >> https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation) >> >> Or should IPA be not hosting the parent zone if itself is in a >> classless IP subnet? >> It's bit confusing to me I confess. >> >> many thanks, L. >> >> _______________________________________________ >> > Not even IPA's own devel would comment? > > Is what I wrote above somewhat unclear? Should I try to rephrase it > better? Yes, please provide more details, like examples of your DNS zone and records. The error message points you to RFC and concrete section about the problem already.

I would also point out that people tend to live their own lives. There are might be holidays, vacations, hard times (no ability to look at community mailing lists, etc). Do not expect that every email will be answered immediately and even in a week or two. We are humans, not robots. While there is an effort to help, there are also no obligations to answer every single question.

On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote: > On 28/10/2019 12:16, Alexander Bokovoy wrote: >> On ma, 28 loka 2019, lejeczek via FreeIPA-users wrote: >>> On 23/10/2019 12:28, lejeczek via FreeIPA-users wrote: >>>> hi everybody >>>> >>>> when I install a replica and have DNS use cname records to a >>>> classless >>>> zone I see: >>>> >>>> Configuring DNS (named) >>>>   [1/8]: generating rndc key file >>>>   [2/8]: setting up our own record >>>>   [error] ValidationError: invalid 'cnamerecord': CNAME record is not >>>> allowed to coexist with any other record (RFC 1034, section 3.6.2 >>>> .. >>>> >>>> This happens if the replica has existing ptr record at the time of >>>> installation. >>>> If I remove ptr record for the replica from the parent reverse zone >>>> (all managed by the same IPA) then installation proceeds but should >>>> masters' records in reverse zone be in resolved with/via cnames in >>>> classless subnet? (which howto says it should - >>>> https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation) >>>> >>>> >>>> Or should IPA be not hosting the parent zone if itself is in a >>>> classless IP subnet? >>>> It's bit confusing to me I confess. >>>> >>>> many thanks, L. >>>> >>>> _______________________________________________ >>>> >>> Not even IPA's own devel would comment? >>> >>> Is what I wrote above somewhat unclear? Should I try to rephrase it >>> better? >> >> Yes, please provide more details, like examples of your DNS zone and >> records. The error message points you to RFC and concrete section about >> the problem already. > > my IPA is locate in a classless subnet 10.5.5.128/25. > > If I setup IPA with --reverse-zone=128/25.10.5.5.in-addr.arpa then > installer creates two rev zones: > > 128/25.10.5.5.in-addr.arpa & 10.5.5.in-addr.arpa > > Now, if prior to subsequent masters installation I create PTR records > and I follow: > https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation > (which will make 10.5.5.in-addr.arpa use cnames) then when I install a > replica which already has PTR records I get: > > Configuring DNS (named) >   [1/8]: generating rndc key file >   [2/8]: setting up our own record >   [error] ValidationError: invalid 'cnamerecord': CNAME record is not > allowed to coexist with any other record (RFC 1034, section 3.6.2 > .. > > What confuses me when I think about it - if I remove ptr(or rather > cname) record from the parent reverse zone (10.5.5.in-addr.arpa) then > installation proceeds of that subsequent masters proceeds okey and then > I think... > > Should that mean that IPA should/can not be setup on/as classless subnet > the way that howto instructs? Yes, this howto predates FreeIPA 3.2. The change was done in the following commit that removed support for this: commit 42c401a87795fe3a2067155460ae276ad2d3e360 Author: Martin Kosek <mkosek(a)redhat.com&gt; Date:   Tue Apr 2 11:58:31 2013 +0200    Improve CNAME record validation       Refactor DNS RR conflict validator so that it is better extensible in    the future. Also check that there is only one CNAME defined for    a DNS record.       PTR+CNAME record combination is no longer allowed as we found out it    does not make sense to have this combination.       https://fedorahosted.org/freeipa/ticket/3450 > I can change records in partent zone(to which IPA installers inserted > PTR records) to use cname and forward to 128/25.10.5.5.in-addr.arpa > later, and IPA seems to work okey, but... I was hoping for > no-doubts-clarification case that all makes me bit uncertain. May be you could provide modification to the howto?