<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 15/07/15 15:07, Nevada Sanchez
wrote:<br>
</div>
<blockquote
cite="mid:CANJByKfQQH9uvNRTL530WhFsk+Z900ymYw5a+apCGRHffv4OnQ@mail.gmail.com"
type="cite">On Wednesday, July 15, 2015, Martin Basti <<a
moz-do-not-send="true" href="mailto:mbasti@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:mbasti@redhat.com">mbasti@redhat.com</a></a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>On 14/07/15 19:12, Nevada Sanchez wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I have FreeIPA setup as our primary DNS on an
AWS VPC. I setup global forwarding ('Forward First') so
that it will forward queries to Amazon's DNS, and then
fall back on IPA if it doesn't see a hit.
<div><br>
</div>
<div>This works perfectly fine for forward DNS lookups:</div>
<div><br>
</div>
<div>$ # This host does not exist on FreeIPA, but does on
Amazon DNS</div>
<div>
<div>$ host ip-10-0-6-17.ec2.internal</div>
<div>ip-10-0-6-17.ec2.internal has address 10.0.6.17</div>
</div>
<div><br>
</div>
<div>
<div>However, for reverse lookups, it doesn't seem to
get forwarded</div>
<div><br>
</div>
<div>$ # Same host, reverse lookup fails at FreeIPA</div>
<div>
<div>$ host 10.0.6.17</div>
<div>Host 17.6.0.10.in-addr.arpa. not found:
3(NXDOMAIN)</div>
<div><br>
</div>
<div>$ # Explicitly forwarding to Amazon DNS, reverse
lookup works</div>
<div>$ host 10.0.6.17 10.0.0.2</div>
<div>Using domain server:</div>
<div>Name: 10.0.0.2</div>
<div>Address: 10.0.0.2#53</div>
<div>Aliases: </div>
<div>17.6.0.10.in-addr.arpa domain name pointer
ip-10-0-6-17.ec2.internal.</div>
</div>
<div><br>
</div>
<div>Please help. Thanks!</div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div style="font-family:arial;font-size:small"><b><font
face="arial, helvetica, sans-serif">Nevada
Sanchez</font></b></div>
<div style="font-family:arial;font-size:small"><font
face="arial, helvetica, sans-serif"
color="#666666">Co-Founder, ASIC Design Team
Lead</font></div>
<div style="font-family:arial;font-size:small"><font
face="arial, helvetica, sans-serif"><a
moz-do-not-send="true"
href="http://www.butterflynetinc.com/"
style="color:rgb(17,85,204)" target="_blank"><img
moz-do-not-send="true"
src="imap://mbasti@mail.corp.redhat.com:993/fetch%3EUID%3E/Drafts%3E94412?token_hash=AAHtFB9SECimeD8ttqgGqwlY3MD8nRNHfRQKh3eivl4dsg&dl=1"></a></font></div>
<div style="font-family:arial;font-size:small"><font
face="arial, helvetica, sans-serif"
color="#666666">tel: 203.689.5650 x314 | mobile:
775.863.8726</font></div>
<div><font size="1" color="#666666"><span
style="font-family:arial">Come </span><a
moz-do-not-send="true"
href="http://www.4combinator.com/#opportunities"
style="font-family:arial" target="_blank">join
us</a><span style="font-family:arial"> and p</span><span
style="font-family:arial">ut a dent in the
universe!</span></font><br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
Hello, do you have any reverse zones configured on IPA DNS?
(with suffix 10.in-addr.arpa)?<br>
<br>
<pre cols="72">--
Martin Basti<span></span></pre>
</div>
</blockquote>
<div>Yes. </div>
<br>
<br>
-- <br>
<div dir="ltr">
<div style="font-family:arial;font-size:small"><b><font
face="arial, helvetica, sans-serif">Nevada Sanchez</font></b></div>
<div style="font-family:arial;font-size:small"><font
face="arial, helvetica, sans-serif" color="#666666">Co-Founder,
ASIC Design Team Lead</font></div>
<div style="font-family:arial;font-size:small"><font
face="arial, helvetica, sans-serif"><a
moz-do-not-send="true"
href="http://www.butterflynetinc.com/"
style="color:rgb(17,85,204)" target="_blank"><img
moz-do-not-send="true"
src="imap://mbasti@mail.corp.redhat.com:993/fetch%3EUID%3E/Drafts%3E94412?token_hash=AAHtFB9SECimeD8ttqgGqwlY3MD8nRNHfRQKh3eivl4dsg&dl=1"></a></font></div>
<div style="font-family:arial;font-size:small"><font
face="arial, helvetica, sans-serif" color="#666666">tel:
203.689.5650 x314 | mobile: 775.863.8726</font></div>
<div><font size="1" color="#666666"><span
style="font-family:arial">Come </span><a
moz-do-not-send="true"
href="http://www.4combinator.com/#opportunities"
style="font-family:arial" target="_blank">join us</a><span
style="font-family:arial"> and p</span><span
style="font-family:arial">ut a dent in the universe!</span></font><br>
</div>
</div>
<br>
</blockquote>
Do you have configured proper delegation via NS records to subzones
of 10.in-addr.arpa. on IPA DNS?<br>
Respectively do you have delegation for 6.0.10.in-addr.arpa. zone to
Amazon DNS?<br>
<br>
Please notice that forward first doesn't mean that the forwarder
will be contacted first, then fallback to IPA.<br>
Forward first means if there is no authoritative zone in IPA server,
query will be forwarded to forwarder, if forwarder doesn't return
the answer, then recursive search (if allowed) will be used from
root zone.<br>
You have 10.in-addr.arpa. zone configured, so it is authoritative
zone for 17.6.0.10.in-addr.arpa. query, and you will get the
authoritative answer NXDOMAIN, there is no need for forwarding.<br>
You need to add an delegation <br>
ipa dnsrecord-add 10.in-addr.arpa. 6.0.10.in-addr.arpa.
--ns-rec=amazon.dns.<br>
<br>
HTH<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>