[Freeipa-users] IPA 4.1.0 in RHEL 7.1
Martin Kosek
mkosek at redhat.com
Thu Mar 12 07:30:22 UTC 2015
On 03/12/2015 12:17 AM, Dmitri Pal wrote:
> On 03/11/2015 04:37 PM, Steven Jones wrote:
>> ======
>> [root at vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns
>> --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg
>> --skip-conncheck
>> Checking forwarders, please wait ...
>> WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
>> Please fix forwarder configuration to enable DNSSEC support.
>> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
>> WARNING: DNSSEC validation will be disabled
>> ======
>>
>> The AD server is a win2k12r2.
>
> Thanks, I will follow up.
As Dmitri said, all automatic DNSSEC key handling did not make the cut in
RHEL-7.1. If you want to test DNSSEC, you are very welcome, but you would be
left with manual configuration as described in upstream article:
http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support
We, however, still left this error message to make users and customers aware
that their name server is not ready even for manual DNSSEC. However, I did a
short research, and win2k12r2 should already support DNSSEC. Maybe the support
needs to be enabled.
What DNS server do you have in /etc/resolv.conf? IPA DNS server + configured
DNS forward zone or do you have there AD IP address directly? Martin Basti
(CCed) recently found an issue with this check and DNS forwarders IIRC.
More information about the Freeipa-users
mailing list