[Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot
Petr Spacek
pspacek at redhat.com
Thu Sep 25 07:44:33 UTC 2014
On 24.9.2014 18:00, Genadi Postrilko wrote:
> 2014-09-22 9:29 GMT+03:00 Petr Spacek <pspacek at redhat.com>:
>
>> 'IPA forwarders' are exactly the same as normal 'BIND forward zone' so
>> they involve normal DNS cache.
>>
> Which type of forwarder do you have configured? Is your 'forwarding policy'
>> set to 'first' (default) or 'only'?
>>
>> I have default forwarding policy:
>
> [root at ipaserver1 ~]# ipa dnsconfig-show
> Global forwarders: 192.168.227.60
Okay, your configuration is using default forwarding policy 'first'.
You can set it to 'only' using command
$ ipa dnsconfig-mod --forward-policy=only
I guess that it will fix the problem.
>> Forwarding policy 'first' (combined with cache) could be the cause of your
>> problem. 'First' policy instructs BIND to contact the configured server and
>> if it fails (because of timeout) BIND will re-try the same query using
>> normal recursion.
>>
>> Depending on your network configuration, the normal DNS recursion can
>> return different results than forwarding(^1). In this case BIND can cache
>> e.g. NXDOMAIN answer from some other server and this answer will stay in
>> cache for TTL value in the given answer.
>>
>> As a result, IPA could get cached NXDOMAIN instead of correct SRV records
>> for AD until the TTL in cache expires.
>>
>> This is of course a wild guess. Detailed logs from named (log level 5 or
>> higher+querylog) could tell us what exactly happened.
>>
>>
> This the named log after i increased the debug level to 5 and enabled
> querylog:
>
> https://gist.github.com/anonymous/89308cbca3b07252674c
Unfortunately the log doesn't contain any information. I guess that you did
not reproduce the problem after changing the debug level ...
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list