<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 15/07/15 15:07, Nevada Sanchez wrote:<br> </div> <blockquote cite="mid:CANJByKfQQH9uvNRTL530WhFsk+Z900ymYw5a+apCGRHffv4OnQ@mail.gmail.com" type="cite">On Wednesday, July 15, 2015, Martin Basti <<a moz-do-not-send="true" href="mailto:mbasti@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:mbasti@redhat.com">mbasti@redhat.com</a></a>> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div text="#000000" bgcolor="#FFFFFF"> <div>On 14/07/15 19:12, Nevada Sanchez wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">I have FreeIPA setup as our primary DNS on an AWS VPC. I setup global forwarding ('Forward First') so that it will forward queries to Amazon's DNS, and then fall back on IPA if it doesn't see a hit. <div><br> </div> <div>This works perfectly fine for forward DNS lookups:</div> <div><br> </div> <div>$ # This host does not exist on FreeIPA, but does on Amazon DNS</div> <div> <div>$ host ip-10-0-6-17.ec2.internal</div> <div>ip-10-0-6-17.ec2.internal has address 10.0.6.17</div> </div> <div><br> </div> <div> <div>However, for reverse lookups, it doesn't seem to get forwarded</div> <div><br> </div> <div>$ # Same host, reverse lookup fails at FreeIPA</div> <div> <div>$ host 10.0.6.17</div> <div>Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN)</div> <div><br> </div> <div>$ # Explicitly forwarding to Amazon DNS, reverse lookup works</div> <div>$ host 10.0.6.17 10.0.0.2</div> <div>Using domain server:</div> <div>Name: 10.0.0.2</div> <div>Address: 10.0.0.2#53</div> <div>Aliases: </div> <div>17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal.</div> </div> <div><br> </div> <div>Please help. Thanks!</div> <div><br> </div> -- <br> <div> <div dir="ltr"> <div style="font-family:arial;font-size:small"><b><font face="arial, helvetica, sans-serif">Nevada Sanchez</font></b></div> <div style="font-family:arial;font-size:small"><font face="arial, helvetica, sans-serif" color="#666666">Co-Founder, ASIC Design Team Lead</font></div> <div style="font-family:arial;font-size:small"><font face="arial, helvetica, sans-serif"><a moz-do-not-send="true" href="http://www.butterflynetinc.com/" style="color:rgb(17,85,204)" target="_blank"><img moz-do-not-send="true" src="imap://mbasti@mail.corp.redhat.com:993/fetch%3EUID%3E/Drafts%3E94412?token_hash=AAHtFB9SECimeD8ttqgGqwlY3MD8nRNHfRQKh3eivl4dsg&dl=1"></a></font></div> <div style="font-family:arial;font-size:small"><font face="arial, helvetica, sans-serif" color="#666666">tel: 203.689.5650 x314 | mobile: 775.863.8726</font></div> <div><font size="1" color="#666666"><span style="font-family:arial">Come </span><a moz-do-not-send="true" href="http://www.4combinator.com/#opportunities" style="font-family:arial" target="_blank">join us</a><span style="font-family:arial"> and p</span><span style="font-family:arial">ut a dent in the universe!</span></font><br> </div> </div> </div> </div> </div> <br> <fieldset></fieldset> <br> </blockquote> Hello, do you have any reverse zones configured on IPA DNS? (with suffix 10.in-addr.arpa)?<br> <br> <pre cols="72">-- Martin Basti<span></span></pre> </div> </blockquote> <div>Yes. </div> <br> <br> -- <br> <div dir="ltr"> <div style="font-family:arial;font-size:small"><b><font face="arial, helvetica, sans-serif">Nevada Sanchez</font></b></div> <div style="font-family:arial;font-size:small"><font face="arial, helvetica, sans-serif" color="#666666">Co-Founder, ASIC Design Team Lead</font></div> <div style="font-family:arial;font-size:small"><font face="arial, helvetica, sans-serif"><a moz-do-not-send="true" href="http://www.butterflynetinc.com/" style="color:rgb(17,85,204)" target="_blank"><img moz-do-not-send="true" src="imap://mbasti@mail.corp.redhat.com:993/fetch%3EUID%3E/Drafts%3E94412?token_hash=AAHtFB9SECimeD8ttqgGqwlY3MD8nRNHfRQKh3eivl4dsg&dl=1"></a></font></div> <div style="font-family:arial;font-size:small"><font face="arial, helvetica, sans-serif" color="#666666">tel: 203.689.5650 x314 | mobile: 775.863.8726</font></div> <div><font size="1" color="#666666"><span style="font-family:arial">Come </span><a moz-do-not-send="true" href="http://www.4combinator.com/#opportunities" style="font-family:arial" target="_blank">join us</a><span style="font-family:arial"> and p</span><span style="font-family:arial">ut a dent in the universe!</span></font><br> </div> </div> <br> </blockquote> Do you have configured proper delegation via NS records to subzones of 10.in-addr.arpa. on IPA DNS?<br> Respectively do you have delegation for 6.0.10.in-addr.arpa. zone to Amazon DNS?<br> <br> Please notice that forward first doesn't mean that the forwarder will be contacted first, then fallback to IPA.<br> Forward first means if there is no authoritative zone in IPA server, query will be forwarded to forwarder, if forwarder doesn't return the answer, then recursive search (if allowed) will be used from root zone.<br> You have 10.in-addr.arpa. zone configured, so it is authoritative zone for 17.6.0.10.in-addr.arpa. query, and you will get the authoritative answer NXDOMAIN, there is no need for forwarding.<br> You need to add an delegation <br> ipa dnsrecord-add 10.in-addr.arpa. 6.0.10.in-addr.arpa. --ns-rec=amazon.dns.<br> <br> HTH<br> <pre class="moz-signature" cols="72">-- Martin Basti</pre> </body> </html>