[Freeipa-users] DNS lookups after replica(master) added

Martin Basti mbasti at redhat.com
Wed Apr 22 18:52:06 UTC 2015 

On 22/04/15 18:40, Cory Carlton wrote:
> Hey all,
>
> I for some reason do not ever get responses from doing DNS lookups to 
> my new servers that have been stood up and replicated as Masters with 
> CA, and DNS options entered at command line.
>
> Is there any trick or configuration to allow anonymous for my servers 
> without IPA Client installed to talk to these?
>
> it does not allow lookups,
> Ip-tables have even been turned off for testing.
> telnet to server via 53 Works
>  Stand alone IPA server LDAP DNS Kerberose usages
>
>
>  [root at DOMAIN ~]# ipa dnsconfig-show --rights --all --raw
> ---------------------------------
> Global DNS configuration is empty
> ---------------------------------
>   dn: cn=dns,dc=int,dc=DOMAIN,dc=com
>   aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow 
> (read,search,compare) groupdn = "ldap:///cn=Read DNS 
> Entries,cn=permissions,cn=pbac,dc=int,dc=DOMAIN,dc=com" or userattr = 
> "parent[0,1].managedby#GROUPDN";)
>   aci: (target = 
> "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl 
> "Add DNS entries in a zone";allow (add) userattr = 
> "parent[1].managedby#GROUPDN";)
>   aci: (target = 
> "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl 
> "Remove DNS entries from a zone";allow (delete) userattr = 
> "parent[1].managedby#GROUPDN";)
>   aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl 
> || dnsclass || arecord || aaaarecord || a6record || nsrecord || 
> cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || 
> mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || 
> keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || 
> certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || 
> nsecrecord || idnsname || idnszoneactive || idnssoamname || 
> idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || 
> idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery 
> || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || 
> idnsforwarders")(target = 
> "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl 
> "Update DNS entries in a zone";allow (write) userattr = 
> "parent[0,1].managedby#GROUPDN";)
>   attributelevelrights: {'cn': u'rscwo', 'idnsforwardpolicy': 
> u'rscwo', 'objectclass': u'rscwo', 'idnsallowsyncptr': u'rscwo', 
> 'idnsforwarders': u'rscwo', 'idnspersistentsearch': u'rscwo', 
> 'idnszonerefresh': u'rscwo', 'aci': u'rscwo', 'nsaccountlock': u'rscwo'}
>   cn: dns
>   objectclass: idnsConfigObject
>   objectclass: nsContainer
>   objectclass: top
>
>
Hello,
Can you share more details please?

What is your IPA version?
What is your zone, how do you test it (dig/host command?), output from 
these commands.
Do you have any errors in named log on replicas? journalctl -u named or 
journalctl -u named-pkcs11 (depends on IPA version)
Is /etc/resolv.conf configured properly on client?
What kind of anonymous connections do you mind to DNS server? Standard 
DNS queries? nsupdate?

Martin

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150422/f7b0297e/attachment.htm>

More information about the Freeipa-users mailing list