[Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot
Genadi Postrilko
genadipost at gmail.com
Wed Sep 24 16:00:00 UTC 2014
2014-09-22 9:29 GMT+03:00 Petr Spacek <pspacek at redhat.com>:
> 'IPA forwarders' are exactly the same as normal 'BIND forward zone' so
> they involve normal DNS cache.
>
Which type of forwarder do you have configured? Is your 'forwarding policy'
> set to 'first' (default) or 'only'?
>
> I have default forwarding policy:
[root at ipaserver1 ~]# ipa dnsconfig-show
Global forwarders: 192.168.227.60
> Forwarding policy 'first' (combined with cache) could be the cause of your
> problem. 'First' policy instructs BIND to contact the configured server and
> if it fails (because of timeout) BIND will re-try the same query using
> normal recursion.
>
> Depending on your network configuration, the normal DNS recursion can
> return different results than forwarding(^1). In this case BIND can cache
> e.g. NXDOMAIN answer from some other server and this answer will stay in
> cache for TTL value in the given answer.
>
> As a result, IPA could get cached NXDOMAIN instead of correct SRV records
> for AD until the TTL in cache expires.
>
> This is of course a wild guess. Detailed logs from named (log level 5 or
> higher+querylog) could tell us what exactly happened.
>
>
This the named log after i increased the debug level to 5 and enabled
querylog:
https://gist.github.com/anonymous/89308cbca3b07252674c
> Have a nice day!
>
> (^1) I would argue that this points to a flaw in network configuration...
>
>
The test involvement is just bunch of VMs in NAT configurations.
Petr^2 Spacek
>
>
Thank you for the help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140924/ef8549ed/attachment.htm>
More information about the Freeipa-users
mailing list