[Freeipa-users] DNS forward to sub domain not working

Petr Spacek pspacek at redhat.com
Tue Oct 23 08:53:43 UTC 2012 

On 10/23/2012 10:29 AM, Fred van Zwieten wrote:
> Hi all,
>
> Thank you for you're input. I found a more or less similar solution here
> <https://groups.google.com/forum/?fromgroups=#!topic/comp.protocols.dns.bind/mdhS0OxQnD4> (I
> tried Google first, but the art there is to formulate the correct search
> phrase..).
>
> I seem to have it working by doing this:
>
> 1. Add A record for subns.example.com <http://subns.example.com>
> 2. Add NS record for sub.example.com <http://sub.example.com> to
> subns.example.com <http://subns.example.com>
>
> Although Petr says to stay away from forwarder, it does not work without them.
> I had to enter zone forwarding addresses on example.com <http://example.com>.
>
> After updates I only got it working after restarting named on the IPA server.
>
> Thank you for the answers
>
> Fred

Hello,

please provide detailed configuration for IPA and "sub" DNS server and I will 
investigate it.

For IPA, best way is to export whole DNS subtree to ldif:
$ kinit admin
$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' > /tmp/ipa.ldif

/var/named/* and /etc/named.conf files from both servers (IPA and also plain 
BIND) would be useful.

You can post these files to me privately if you want.

Thank you!

Petr^2 Spacek

>
> On Tue, Oct 23, 2012 at 10:00 AM, Petr Spacek <pspacek at redhat.com
> <mailto:pspacek at redhat.com>> wrote:
>
>     On 10/23/2012 09:51 AM, Sumit Bose wrote:
>      > On Mon, Oct 22, 2012 at 08:57:56PM +0200, Fred van Zwieten wrote:
>      >> Hello,
>      >>
>      >> I have a problem. My setup:
>      >>
>      >> - IPA server for domain example.com <http://example.com> on
>     ipa.example.com <http://ipa.example.com>
>      >> - DNS server sub.example.com <http://sub.example.com> on
>     host.sub.example.com <http://host.sub.example.com>
>      >> - client.example.com <http://client.example.com> with IP-nr off
>     ipa.example.com <http://ipa.example.com> in resolv.conf
>      >> - an A record for client.sub.example.com
>     <http://client.sub.example.com> in DNS server host.sub.example.com
>     <http://host.sub.example.com>
>      >>
>      >> Problem: I cannot resolve the address of client.sub.example.com
>     <http://client.sub.example.com> from
>      >> client.example.com <http://client.example.com>.
>      >>
>      >> I have tried all kinds of configs:
>      >> 1. Configured global forwarding in named.conf on ipa.example.com
>     <http://ipa.example.com>
>      >> 2. Configured zone forwarding in named.conf on ipa.example.com
>     <http://ipa.example.com> for zone
>      >> sub.example.com <http://sub.example.com>
>      >> 3. Configured global forwarding in IPA server
>      >> 4. Add a zone sub.example.conf in IPA and configured forwarding on that
>      >> zone.
>      >>
>      >> Nothing works. I keep getting NXDOMAIN when doing a dig. If I query
>     the DNS
>      >> server on host.sub.example.com <http://host.sub.example.com> directly,
>     it resolves.
>      >>
>      >> Using RHEL6.3 on all hosts.
>      >>
>      >> I found an old bugzilla on recursion problems. in namd.conf recursion is
>      >> allowed for "any".
>      >
>      > I think it is not a recursion issue, but related to delegation. Since
>      > the IPA DNS server on ipa.example.com <http://ipa.example.com> thinks he is
>      > responsible/authoritative for the whole example.com
>     <http://example.com> he would also try to
>      > handle request for sub.example.com <http://sub.example.com>.
>      >
>      > You have to tell the DNS serve explicitly that there is another DNS
>      > server for sub.example.com <http://sub.example.com> by calling:
>      >
>      > ipa dnsrecord-add example.com <http://example.com> subdns
>     --a-ip-address=1.2.3.4
>      > ipa dnsrecord-add example.com <http://example.com> sub --ns-hostname=subdns
>      >
>      > Please note that the DNS server for sub.example.com
>     <http://sub.example.com> is now called
>      > 'subdns.example.com <http://subdns.example.com>' since a name from the
>     example.com <http://example.com> domain is needed
>      > because otherwise the name cannot be resolved.
>      >
>      > HTH
>      >
>      > bye,
>      > Sumit
>      >
>      >>
>      >> I'm not sure if this is a IPA or a DNS issue..
>      >>
>      >> Fred
>
>     Hello,
>
>     please don't use forwarders, just create a NS+A record pair for
>     "sub.example.com <http://sub.example.com>" domain in IPA DNS as Sumit
>     wrote above.
>
>     Current version seems to have some problems with forwarders, I will
>     investigate it.
>
>     Configuration with forwarders are often confusing, please don't use them if it
>     is not necessary.

More information about the Freeipa-users mailing list