[Freeipa-users] RHEL 7.2/Oracle Linux 7.2 - DNS FORWARD ZONE doesn't work!
Petr Spacek
pspacek at redhat.com
Thu Feb 25 10:16:41 UTC 2016
On 24.2.2016 13:28, Martin Basti wrote:
>
>
> On 24.02.2016 12:53, Alexandre Borges wrote:
>>
>> Dear colleagues,
>>
>> How are you?
>>
>> I’ve been facing a horrible problem with RHEL 7.2 (and Oracle Linux 7.2)
>> when configuring IPA dnsforwardzone during the Active Directory integration.
>>
>> My configuration follows:
>>
>> IPA Server: 192.168.1.195 (rhel72-1.example.com)
>>
>> Win2012 (AD): 192.168.1.229 (win2012.example.local) à different domains!!!
>>
>> Last command executed:
>>
>> [root at rhel72-1 ~]# *ipa dnszone-find*
>>
>> Zone name: 1.168.192.in-addr.arpa.
>>
>> Active zone: TRUE
>>
>> Authoritative nameserver: rhel72-1.example.com.
>>
>> Administrator e-mail address: hostmaster.example.com.
>>
>> SOA serial: 1456310858
>>
>> SOA refresh: 3600
>>
>> SOA retry: 900
>>
>> SOA expire: 1209600
>>
>> SOA minimum: 3600
>>
>> Allow query: any;
>>
>> Allow transfer: none;
>>
>> Zone name: example.com.
>>
>> Active zone: TRUE
>>
>> Authoritative nameserver: rhel72-1.example.com.
>>
>> Administrator e-mail address: hostmaster.example.com.
>>
>> SOA serial: 1456310858
>>
>> SOA refresh: 3600
>>
>> SOA retry: 900
>>
>> SOA expire: 1209600
>>
>> SOA minimum: 3600
>>
>> Allow query: any;
>>
>> Allow transfer: none;
>>
>> Allow in-line DNSSEC signing: FALSE
>>
>> ----------------------------
>>
>> Number of entries returned 2
>>
>> ----------------------------
>>
>> [root at rhel72-1 ~]# *ipa dnsconfig-show*
>>
>> Global forwarders: 8.8.8.8, 8.8.4.4
>>
>> [root at rhel72-1 ~]# *ipa dnsforwardzone-add example.local
>> --forwarder=192.168.1.229 --forward-policy=only*
>>
>> Server will check DNS forwarder(s).
>>
>> This may take some time, please wait ...
>>
>> ipa: WARNING: DNSSEC validation failed: record 'example.local. SOA' failed
>> DNSSEC validation on server 192.168.1.195.
>>
>> Please verify your DNSSEC configuration or disable DNSSEC validation on all
>> IPA servers.
>>
>> Zone name: example.local.
>>
>> Active zone: TRUE
>>
>> Zone forwarders: 192.168.1.229
>>
>> Forward policy: only
>>
>> [root at rhel72-1 ~]# *ipa dnsforwardzone-find*
>>
>> Zone name: example.local.
>>
>> Active zone: TRUE
>>
>> Zone forwarders: 192.168.1.229
>>
>> Forward policy: only
>>
>> ----------------------------
>>
>> Number of entries returned 1
>>
>> ----------------------------
>>
>> *[root at rhel72-1 ~]#* *ping win2012.example.local*
>>
>> ping: unknown host win2012.example.local
>>
>> I’ve already rebooted the host, but it hasn’t worked.
>>
>> The same problem is happening with Oracle Linux 7.2.
>>
>> Please, could you help me, please?
>>
>> I hope you have a nice day.
>>
>> Alexandre Borges.
>>
>
> Hello Alexandre,
>
> because you use .local TLD domain, it will be never DNSSEC valid domain,
> please disable DNSSEC validation on all DNS servers, as warning from
> dnsforwardzone-add suggested.
Please note that this is only workaround for inherently broken configuration.
It goes directly against "System Prerequisites" stated on
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs
and
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_DNS_Traffic_with_DNSSEC.html#sec-Recommended_Naming_Practices
It should work but you might face various problems later on. This
configuration with made-up names is strongly discouraged.
FreeIPA upstream has the same recommendations in different words if you wish:
http://www.freeipa.org/page/DNS#Caveats
I hope this helps.
Petr^2 Spacek
>
> /etc/named.conf
> set dnssec-validation to no
>
> Martin Basti
More information about the Freeipa-users
mailing list