Hi Rob, thanks for taking a look. Re: sanity check I meant:

13-Dec-2018 00:31:34.398 client 10.30.10.27#53265/key host/mdc-ipa-01.idm.planetrisk.com(a)IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': update rejected: post update name server sanity check failed

13-Dec-2018 00:31:34.511 client 10.30.10.27#40273/key host/mdc-ipa-01.idm.planetrisk.com(a)IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': deleting rrset at 'mdc-ipa-01.idm.planetrisk.com' A

And then you can see there in the log snippet from the first post that it immediately tries again and succeeds.

The log does not indicate a successful delete, I just know the record is gone.

It has occurred to me that this is from the bind/named log so the sanity check has nothing to do with FreeIPA.

And probably that sanity check is bind saying “you can’t/shouldn’t delete the A record associated with the NS records”

So now I’m back to asking myself why/who/what is causing the record to be deleted in the first place.

Let me do some more digging and see if I can find the culprit. I suspect something to do with sssd and dynamic updates.