[Freeipa-users] RHEL 7.2/Oracle Linux 7.2 - DNS FORWARD ZONE doesn't work!

Martin Basti mbasti at redhat.com
Wed Feb 24 12:28:12 UTC 2016 


On 24.02.2016 12:53, Alexandre Borges wrote:
>
> Dear colleagues,
>
> How are you?
>
> I’ve been facing a horrible problem with RHEL 7.2 (and Oracle Linux 
> 7.2) when configuring IPA dnsforwardzone during the Active Directory 
> integration.
>
> My configuration follows:
>
> IPA Server: 192.168.1.195 (rhel72-1.example.com)
>
> Win2012 (AD): 192.168.1.229 (win2012.example.local) à different domains!!!
>
> Last command executed:
>
> [root at rhel72-1 ~]# *ipa dnszone-find*
>
> Zone name: 1.168.192.in-addr.arpa.
>
>   Active zone: TRUE
>
>   Authoritative nameserver: rhel72-1.example.com.
>
>   Administrator e-mail address: hostmaster.example.com.
>
> SOA serial: 1456310858
>
>   SOA refresh: 3600
>
>   SOA retry: 900
>
> SOA expire: 1209600
>
>   SOA minimum: 3600
>
>   Allow query: any;
>
>   Allow transfer: none;
>
>   Zone name: example.com.
>
>   Active zone: TRUE
>
>   Authoritative nameserver: rhel72-1.example.com.
>
>   Administrator e-mail address: hostmaster.example.com.
>
> SOA serial: 1456310858
>
>   SOA refresh: 3600
>
>   SOA retry: 900
>
> SOA expire: 1209600
>
>   SOA minimum: 3600
>
>   Allow query: any;
>
>   Allow transfer: none;
>
>   Allow in-line DNSSEC signing: FALSE
>
> ----------------------------
>
> Number of entries returned 2
>
> ----------------------------
>
> [root at rhel72-1 ~]# *ipa dnsconfig-show*
>
>   Global forwarders: 8.8.8.8, 8.8.4.4
>
> [root at rhel72-1 ~]# *ipa dnsforwardzone-add example.local 
> --forwarder=192.168.1.229 --forward-policy=only*
>
> Server will check DNS forwarder(s).
>
> This may take some time, please wait ...
>
> ipa: WARNING: DNSSEC validation failed: record 'example.local. SOA' 
> failed DNSSEC validation on server 192.168.1.195.
>
> Please verify your DNSSEC configuration or disable DNSSEC validation 
> on all IPA servers.
>
>   Zone name: example.local.
>
>   Active zone: TRUE
>
>   Zone forwarders: 192.168.1.229
>
>   Forward policy: only
>
> [root at rhel72-1 ~]# *ipa dnsforwardzone-find*
>
>   Zone name: example.local.
>
>   Active zone: TRUE
>
>   Zone forwarders: 192.168.1.229
>
>   Forward policy: only
>
> ----------------------------
>
> Number of entries returned 1
>
> ----------------------------
>
> *[root at rhel72-1 ~]#* *ping win2012.example.local*
>
> ping: unknown host win2012.example.local
>
> I’ve already rebooted the host, but it hasn’t worked.
>
> The same problem is happening with Oracle Linux 7.2.
>
> Please, could you help me, please?
>
> I hope you have a nice day.
>
> Alexandre Borges.
>

Hello Alexandre,

because you use .local TLD domain, it will be never DNSSEC valid domain, 
please disable DNSSEC validation on all DNS servers, as warning from 
dnsforwardzone-add suggested.

/etc/named.conf
set dnssec-validation to no

Martin Basti
>
> <https://www.avast.com/sig-email> 	This email has been sent from a 
> virus-free computer protected by Avast.
> www.avast.com <https://www.avast.com/sig-email>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160224/851845a5/attachment.htm>

More information about the Freeipa-users mailing list