[Freeipa-users] IPA DNS forward only is not working

[Albert Tesla]

I have FreeIPA installed on RHEL 6 server.  There is an existing windows
domain and DNS; example.com.  I created a FreeIPA domain of example.com.  I
have attempted to configure the "forward first" option in both the DNS
Global Configuration and the example.com zone configuration.  I would like
all lookups to first point to the forwarder and if it is unable to resolve
I want it to look at the FreeIPA DNS.  As I understand it, the "forward
first" setting should accomplish this.  Unfortunately DNS is behaving as if
the "forward only" option is enabled as it will resolve addresses outside
of the FreeIPA example.com domain but will not resolve hosts that are only
in the FreeIPA example.com domain.  I am very new to FreeIPA and would
appreciate any help that can be provided.

Here is my named.conf:

options {

        // turns on IPv6 for port 53, IPv4 is on by default for all ifaces

        listen-on-v6 {any;};



        // Put files that named is allowed to write in the data/ directory:

        directory "/var/named"; // the default

        dump-file               "data/cache_dump.db";

        statistics-file         "data/named_stats.txt";

        memstatistics-file      "data/named_mem_stats.txt";



        forward first;

        forwarders {

                192.168.x.x;

        };



        // Any host is permitted to issue recursive queries

        allow-recursion { any; };



        tkey-gssapi-credential "DNS/freeipa.example.com";

        tkey-domain "EXAMPLE.COM";

};



/* If you want to enable debugging, eg. using the 'rndc trace' command,

 * By default, SELinux policy does not allow named to modify the /var/named
directory,

 * so put the default debug log file in data/ :

 */

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};



zone "." IN {

        type hint;

        file "named.ca";

};



include "/etc/named.rfc1912.zones";



dynamic-db "ipa" {

        library "ldap.so";

        arg "uri ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket";

        arg "base cn=dns, dc=example,dc=com";

        arg "fake_mname freeipa.example.com.";

        arg "auth_method sasl";

        arg "sasl_mech GSSAPI";

        arg "sasl_user DNS/freeipa.example.com";

        arg "zone_refresh 30";

};



Thanks in advance,
Albert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121126/4281a0ba/attachment.htm>