[Freeipa-users] reverse DNS lookup does not work
Martin Basti
mbasti at redhat.com
Fri Aug 14 08:16:46 UTC 2015
On 08/11/2015 04:47 PM, Nikola Kržalić wrote:
> reverse DNS lookup stopped working after I broke some replication
> agreements (perhaps unrelated, but worth mentioning). Regular A
> records resolve fine.
> The records can be seen in LDAP (using ldapsearch with GSSAPI after
> kinit -t /etc/named.keytab):
>
> the zone:
>
> # 0.63.10.in-addr.arpa., dns, ipa.example.net
> dn: idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net
> idnsUpdatePolicy: grant IPA.example.NET krb5-self * PTR; grant IPA.example.NET
> krb5-self * SSHFP;
> idnsAllowDynUpdate: TRUE
> idnsForwarders: 172.23.1.5
> idnsAllowSyncPTR: TRUE
> idnsSOAserial: 1439302482
> idnsSOArName: hostmaster.ipa.example.net.
> idnsZoneActive: TRUE
> idnsSOAexpire: 1209600
> nSRecord: ldap1.example.lan.
> idnsSOAminimum: 3600
> objectClass: idnszone
> objectClass: top
> objectClass: idnsrecord
> idnsAllowTransfer: none;
> idnsSOAretry: 900
> idnsSOArefresh: 3600
> idnsAllowQuery: any;
> idnsName: 0.63.10.in-addr.arpa.
> idnsSOAmName: ldap1.example.lan.
>
> the entry:
> # 68, 0.63.10.in-addr.arpa., dns, ipa.example.net
> dn: idnsname=68,idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net
> objectClass: top
> objectClass: idnsrecord
> cNAMERecord: ds02.example.lan.
> idnsName: 68
>
> but the reverse dns lookup fails anyway:
>
> [root at ldap1 ~]# dig -x 10.63.0.68
>
> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> -x 10.63.0.68
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59911
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;68.0.63.10.in-addr.arpa. IN PTR
>
> ;; AUTHORITY SECTION:
> 10.in-addr.arpa. 86400 IN SOA 10.in-addr.arpa. . 0 28800 7200 604800 86400
>
> ;; Query time: 4 msec
> ;; SERVER: 172.23.1.5#53(172.23.1.5)
> ;; WHEN: Tue Aug 11 14:40:08 UTC 2015
> ;; MSG SIZE rcvd: 87
>
> [root at ldap1 ~]#
>
> Any thoughts?
>
Hello,
It seems that DNS delegation doesn't work or you asked non IPA DNS server.
Do you have the right server in resolv.conf? (dig sent query to 172.23.1.5)
Do you have reverse zone 10.in-addr.arpa. configured on IPA DNS, does it
have proper delegation to 0.63.10.in-addr.arpa zone.
Do you use IPA 3.x or IPA 4.x?
If 3.x there might be issue with forwarding, because the zone
0.63.10.in-addr.arpa works as forward zone and forwards queries to
server 172.23.1.5, that return NXDOMAIN for that zone.
More information about the Freeipa-users
mailing list