From Fedora Project Wiki

Test DNS zone transfer to non-IPA slaves

DNS zone transfers between IPA masters are handled at LDAP database level and all FreeIPA servers act as DNS masters. From FreeIPA 3.0 non-IPA DNS servers are supported as slaves.

Zone transfers depend on correct SOA serial number behaviour. Test for SOA serial auto-increment feature was described as part of persistent search test case.

First of all, it is necessary to allow zone transfers to slave IPs. Slave IP has to be specified on per-zone basics. In following example we will allow zone transfer to any client. This setting is considered as insecure, don't use it outside the lab! Feel free to replace "any" with real slave IP address.

In selected testing zone allow zone transfer to any client.

$ ipa dnszone-mod lab.example '--allow-transfer=any;'

Following command will initiate zone transfer with dig utility:

$ dig @vm-148.lab.example -t AXFR lab.example
  lab.example.		86400	IN	SOA	vm-148.lab.example. hostmaster.lab.example. 1346771605 3600 900 1209600 3600
  lab.example.		86400	IN	NS	vm-148.lab.example.
  vm-148.lab.example.	86400	IN	A	192.168.10.148
  lab.example.		86400	IN	SOA	vm-148.lab.example. hostmaster.lab.example. 1346771605 3600 900 1209600 3600
  ;; XFR size: 4 records (messages 1, bytes 149)

Output above shows sucessful transfer of zone "lab.example". This step confirmed basic functionality.


DNS slaves will transfer the whole zone periodically as is specified in zone's SOA record. DNS masters also send DNS NOTIFY messages to inform slaves about a change asynchronously.

For test purposes set the delay between notifies to 1 second. To accomplish this add following line to options section in /etc/named.conf.

options {
	notify-delay 1;
};

Master server has to be reloaded after each change in /etc/named.conf.

$ systemctl restart named.service


If you have another DNS server set up, configure a slave zone "lab.example" and set master IP address to "192.168.10.148". Slave server should transfer all records and serve them to clients.


If you don't have own second DNS server, you can use following commands to start second BIND instance on same machine as IPA master resides. The second BIND will listen on non-standard port 5353.

cat > /etc/named2.conf <<< '
options {
        // turns on IPv4 and IPv6 for port 5353 on all interfaces
        listen-on port 5353 { any; };
        listen-on-v6 port 5353 { any; };
        directory "/var/named2";
        allow-recursion { any; };
	min-refresh-time 1; // set zone refresh limit very low, use only in a lab
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";

zone "lab.example." IN {
        type slave;
        file "/tmp/lab.example";
        masters { 127.0.0.1 port 53; };
};
'

mkdir -p /var/named2
cp -f /var/named/named.localhost /var/named/named.loopback /var/named/named.empty /var/named/named.ca /var/named2/
chown -R named: /var/named2 /etc/named2.conf

named -g -u named -c /etc/named2.conf

It is not possible to add NS record for name server with non-standard port. For this reason add following line to master's /etc/named.conf and reload the server.

options {
	also-notify { 127.0.0.1 port 5353; };
};

Now the zone should transfer to slaves in couple of seconds after each change. DNS query against slave server should return same results as query against master server.

Dig command for DNS servers on non-standard ports has to include -p parameter.

$ dig @127.0.0.1 -p 5353 -t SOA lab.example.