[Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse lookup zones

Wed Jan 27 01:54:19 UTC 2016

I have my FreeIPA server setup with a forward only policy for DNS.

If I perform an nslookup against either of the configured forward servers, I can do a reverse lookup properly.

If I perform the same nslookup against my local server, it will not find the entry.

I have confirmed that there are no conflicting zones or reverse zones on my FreeIPA server.

Tests below :

1.    Show forwarding configuration

2.    Test lookup against localhost of own domain name (prove we can find records we host as primary)

3.    Prove we can do forward lookup on the host that we can't reverse lookup on

4.    Reverse lookup fails against localhost

5.    Reverse lookup succeeds against forward server 1

6.    Reverse lookup succeeds against forward server 2

So... if I am set to always forward, and I don't host this domain (or a parent of it), and I can lookup the server on my forwarded domains,

Then... why can't that query get forwarded properly according to my forwarding settings ?

1. ===========================
[root at dc2-ipa-dev-van ~]# ipa dnsconfig-show
  Global forwarders: 10.21.0.15, 10.21.0.14
  Forward policy: only
  Allow PTR sync: TRUE
2. ===========================
  [root at dc2-ipa-dev-van ~]# nslookup
> dc2-ipa-dev-van.dev-mydomain.net
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   dc2-ipa-dev-van.dev-mydomain.net
Address: 10.21.0.98
3. ===========================
> officedc2.office.mydomain.net
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   officedc2.office.mydomain.net
Address: 10.6.60.6
4. ===========================
> 10.6.60.6
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find 6.60.6.10.in-addr.arpa: NXDOMAIN
5. ===========================
> server 10.21.0.14
Default server: 10.21.0.14
Address: 10.21.0.14#53
> 10.6.60.6
Server:         10.21.0.14
Address:        10.21.0.14#53

Non-authoritative answer:
6.60.6.10.in-addr.arpa  name = officedc2.office.mydomain.net.

Authoritative answers can be found from:
6. ===========================
> server 10.21.0.15
Default server: 10.21.0.15
Address: 10.21.0.15#53
> 10.6.60.6
Server:         10.21.0.15
Address:        10.21.0.15#53

Non-authoritative answer:
6.60.6.10.in-addr.arpa  name = officedc2.office.mydomain.net.

Authoritative answers can be found from:
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160127/aff8ae36/attachment.htm>