Hi Rob,
There are 5 more reverse zones which can not be deleted as well. IPA said "Not allowed on non-leaf entry". Though that is the same complaint, however, there are no "glue, extensibleobject" objectclasses associated with those 5 zones. Please see attached for details. I like to have those deleted as well.
Thanks.
Kathy.
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa. --all
dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa. --all
dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa. --all
dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa. --all
dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa. --all
dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster.example.com.
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]#
On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu kzhu@nuro.ai wrote:
Yes, I want to delete the zone. I tried a few ways, none worked so far.
On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden rcritten@redhat.com wrote:
Kathy Zhu via FreeIPA-users wrote:
Hi List,
When I run ipa-healthcheck on all of our ipa servers, they all reported following:
[root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human
ERROR:
ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:
Replication conflict
[root@ipa0 ~]#
[root@ipa0 ~]# ipa-healthcheck --failures-only
[
{
"source": "ipahealthcheck.ds.replication", "kw": { "msg": "Replication conflict", "glue": true, "conflict": "deletedEntryHasChildren", "key": "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com" }, "uuid": "3027f742-4b7b-4a20-9650-a5a030699480", "duration": "0.002318", "when": "20210819234114Z", "check": "ReplicationConflictCheck", "result": "ERROR"
}
]
[root@ipa0 ~]#
[root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. --sizelimit=99999 --all --structured
dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
Records:
Record type: NS Record data: ipa1.example.com <http://ipa1.example.com>. NS Hostname: ipa1.example.com <http://ipa1.example.com>.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone, glue, extensibleobject
Number of entries returned 1
[root@ipa0 ~]#
Notice above, glue is true! After googling, I found following:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
The explanation made sense to me. However, I do not know what happened to get us into this situation.
A good zone displays objectclass like this:
objectclass: top, idnsrecord, idnszone
Note, no "glue, extensibleobject" there.
This zone can not be deleted since "Not allowed on non-leaf entry". Any ideas to delete this zone?
Do you want to delete the zone?
rob