[Freeipa-users] Forward first not working

Shaun Martin smartin at blackducksoftware.com
Wed Feb 25 17:51:42 UTC 2015 

Hi Martin,

The zone name is the following for both servers.

Zone name:
1.10.in-addr.arpa.


I am using zone forwarders.

With forward first enabled though it should try and return an answer from the local DNS, it clearly does not though. The only time I receive the local record is when forwarding is disabled.

Thanks,
Shaun

[cid:1F369212-0E28-4C3C-8955-33CDA7C2FAB4 at blackducksoftware.com]
Shaun Martin
IT\OPS Manager
Black Duck Software
O: +1.781.425.4336

Black Duck Software<http://www.blackducksoftware.com/> | OpenHUB<https://www.openhub.net/> | OSDelivers<http://osdelivers.blackducksoftware.com/> | OSS Logistics<https://www.blackducksoftware.com/oss-logistics>

[cid:CC23E6F1-CA96-4E59-978B-D0D9EDE0F2DB at blackducksoftware.com]   <http://twitter.com/black_duck_sw> [cid:AC8F793C-9870-4ECB-B844-3337F98BA51F at blackducksoftware.com]    <https://www.linkedin.com/company/black-duck-software> [cid:AB6B7F6B-C85C-4E52-8B42-9C9A5EB9D0D1 at blackducksoftware.com]    <https://www.facebook.com/BlackDuckSoftware> [cid:931AE271-12EC-458A-BB1F-7455AD35B154 at blackducksoftware.com]    <https://plus.google.com/+Blackducksoftware/> [cid:8EB9FA0C-F1E0-4E32-9E58-0D6A646A5625 at blackducksoftware.com]    <http://www.slideshare.net/blackducksoftware> [cid:1A0AC858-0DCC-44B4-B3D0-8BB35E291B02 at blackducksoftware.com]

JP Morgan Chase & Co. Hall of Innovation Inductee <https://www.youtube.com/user/BlackDuckSoftware>
<https://www.youtube.com/user/BlackDuckSoftware>
On Feb 25, 2015, at 12:42 PM, Martin Basti <mbasti at redhat.com<mailto:mbasti at redhat.com>> wrote:

On 25/02/15 17:59, Shaun Martin wrote:
Hi,

I am having an issue with the forward first not appear to be working. I have two separate IPA servers that server separate realms. I have for the reverse zone configured forwarders to point to the other realms IPA server. All versions are identical on the IPA servers. I have included details on version and tests that show this is not working.

$ yum list installed |grep bind-dyndb-ldap
bind-dyndb-ldap.x86_64                 3.5-4.el7                       @base

$ yum list installed |grep ipa
ipa-admintools.x86_64                  3.3.3-28.0.1.el7.centos.3       @updates
ipa-client.x86_64                      3.3.3-28.0.1.el7.centos.3       @updates
ipa-python.x86_64                      3.3.3-28.0.1.el7.centos.3       @updates
ipa-server.x86_64                      3.3.3-28.0.1.el7.centos.3       @updates
libipa_hbac.x86_64                     1.11.2-68.el7_0.6               @updates
libipa_hbac-python.x86_64              1.11.2-68.el7_0.6               @updates
python-iniparse.noarch                 0.4-9.el7                       @anaconda
sssd-ipa.x86_64

BELOW IS WITH FORWARDING DISABLED. It cannot find 10.1.0.9 but can find 10.1.20.9. This is expected as this server only has the 10.1.20.9 record.
$ nslookup
> server 10.1.20.9
Default server: 10.1.20.9
Address: 10.1.20.9#53
> 10.1.20.9
Server: 10.1.20.9
Address: 10.1.20.9#53

9.20.1.10.in-addr.arpa name = prd-ops-ipa01.uzb.local.
> 10.1.0.9
Server: 10.1.20.9
Address: 10.1.20.9#53

** server can't find 9.0.1.10.in-addr.arpa.: NXDOMAIN

BELOW IS WITH FORWARDING ENABLED. It cannot find 10.1.20.9 but can find 10.1.0.9. This is expected as the forwarding server only has the 10.1.0.9 record.
> 10.1.20.9
Server: 10.1.20.9
Address: 10.1.20.9#53

** server can't find 9.20.1.10.in-addr.arpa.: NXDOMAIN
> 10.1.0.9
Server: 10.1.20.9
Address: 10.1.20.9#53

Non-authoritative answer:
9.0.1.10.in-addr.arpa name = ops-ipa01.bbf.local.

Authoritative answers can be found from:
1.10.in-addr.arpa nameserver = ops-ipa01.bbf.local.


BELOW IS WITH FORWARD FIRST ENABLED. It cannot find 10.1.20.9 but can find 10.1.0.9. This is un-expected as the local zone has the 10.1.20.9 and the forward server has the 10.1.0.9 so we should be getting both.
> 10.1.20.9
Server: 10.1.20.9
Address: 10.1.20.9#53

** server can't find 9.20.1.10.in-addr.arpa.: NXDOMAIN
> 10.1.0.9
Server: 10.1.20.9
Address: 10.1.20.9#53

Non-authoritative answer:
9.0.1.10.in-addr.arpa name = ops-ipa01.bbf.local.

Authoritative answers can be found from:
1.10.in-addr.arpa nameserver = ops-ipa01.bbf.local.
ops-ipa01.bbf.local internet address = 10.1.0.9


Any help is greatly appreciated.

Thanks,
Shaun

<Mail Attachment.png>
Shaun Martin
IT\OPS Manager
Black Duck Software
O: +1.781.425.4336

Black Duck Software<http://www.blackducksoftware.com/> | OpenHUB<https://www.openhub.net/> | OSDelivers<http://osdelivers.blackducksoftware.com/> | OSS Logistics<https://www.blackducksoftware.com/oss-logistics>

<Mail Attachment.png>   <http://twitter.com/black_duck_sw> <Mail Attachment.png>   <https://www.linkedin.com/company/black-duck-software> <Mail Attachment.png>   <https://www.facebook.com/BlackDuckSoftware> <Mail Attachment.png>   <https://plus.google.com/+Blackducksoftware/> <Mail Attachment.png>   <http://www.slideshare.net/blackducksoftware> <Mail Attachment.png>

JP Morgan Chase & Co. Hall of Innovation Inductee <https://www.youtube.com/user/BlackDuckSoftware>



Hello,

we need more info:
do you use global forwarders, or zone forwarders?
how your reverse zones are configured (name, delegation)?

Default forwarding policy is first, IMO both of your examples with forwarding enabled are forwarding first policy.

Martin


--
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150225/03d9fdf6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 7EA68D51-363B-4FAD-A939-D9CD926D70AB.png
Type: image/png
Size: 3790 bytes
Desc: 7EA68D51-363B-4FAD-A939-D9CD926D70AB.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150225/03d9fdf6/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: E33E6B21-2C3E-4C55-8796-46161EE14AC6.png
Type: image/png
Size: 280 bytes
Desc: E33E6B21-2C3E-4C55-8796-46161EE14AC6.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150225/03d9fdf6/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EDB9C095-85D8-437C-A4CF-A515712839CA.png
Type: image/png
Size: 248 bytes
Desc: EDB9C095-85D8-437C-A4CF-A515712839CA.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150225/03d9fdf6/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 8D343C4D-B65C-473A-96DE-792AF2B5D16E.png
Type: image/png
Size: 227 bytes
Desc: 8D343C4D-B65C-473A-96DE-792AF2B5D16E.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150225/03d9fdf6/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3FCDCA9B-C8EA-4EB2-9184-457FF1A9AB5D.png
Type: image/png
Size: 335 bytes
Desc: 3FCDCA9B-C8EA-4EB2-9184-457FF1A9AB5D.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150225/03d9fdf6/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D1E6BBB6-3622-496C-B3BF-7DC86A214CB8.png
Type: image/png
Size: 355 bytes
Desc: D1E6BBB6-3622-496C-B3BF-7DC86A214CB8.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150225/03d9fdf6/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: B8FD9DF1-3230-44BF-80DA-AEA16CB00E29.png
Type: image/png
Size: 316 bytes
Desc: B8FD9DF1-3230-44BF-80DA-AEA16CB00E29.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150225/03d9fdf6/attachment-0006.png>

More information about the Freeipa-users mailing list