[Freeipa-users] IPA 4.1.0 in RHEL 7.1

Martin Basti mbasti at redhat.com
Thu Mar 12 11:02:58 UTC 2015 

On 12/03/15 08:30, Martin Kosek wrote:
> On 03/12/2015 12:17 AM, Dmitri Pal wrote:
>> On 03/11/2015 04:37 PM, Steven Jones wrote:
>>> ======
>>> [root at vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns
>>> --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg
>>> --skip-conncheck
>>> Checking forwarders, please wait ...
>>> WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
>>> Please fix forwarder configuration to enable DNSSEC support.
>>> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
>>> WARNING: DNSSEC validation will be disabled
>>> ======
>>>
>>> The AD server is a win2k12r2.
>> Thanks, I will follow up.
> As Dmitri said, all automatic DNSSEC key handling did not make the cut in
> RHEL-7.1. If you want to test DNSSEC, you are very welcome, but you would be
> left with manual configuration as described in upstream article:
>
> http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support
>
> We, however, still left this error message to make users and customers aware
> that their name server is not ready even for manual DNSSEC. However, I did a
> short research, and win2k12r2 should already support DNSSEC. Maybe the support
> needs to be enabled.
>
> What DNS server do you have in /etc/resolv.conf? IPA DNS server + configured
> DNS forward zone or do you have there AD IP address directly? Martin Basti
> (CCed) recently found an issue with this check and DNS forwarders IIRC.
Hello,

IPA tests forwarders, if they are able to return signed root zone.
It is not issue with test itself, we always found a misconfiguration on 
a forwarder side.
The issue is warning message, because problems reported as DNSSEC 
failure usually have different root cause (which also prevent to use 
DNSSEC). We plan to make this validation more specific, to report 
correct issues.
This check happens only for global forwarders.

IPA automatically disable DNSSEC validation during installation, if any 
of configured global forwarders are not DNSSEC capable.
With enabled DNSSEC validation, DNS server may drop unsigned responses 
from forwarder.

Martin

-- 
Martin Basti

More information about the Freeipa-users mailing list