[Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse lookup zones
Petr Spacek
pspacek at redhat.com
Wed Jan 27 08:23:19 UTC 2016
On 27.1.2016 02:54, Nathan Peters wrote:
> I have my FreeIPA server setup with a forward only policy for DNS.
>
> If I perform an nslookup against either of the configured forward servers, I can do a reverse lookup properly.
>
> If I perform the same nslookup against my local server, it will not find the entry.
>
> I have confirmed that there are no conflicting zones or reverse zones on my FreeIPA server.
>
> Tests below :
>
> 1. Show forwarding configuration
>
> 2. Test lookup against localhost of own domain name (prove we can find records we host as primary)
>
> 3. Prove we can do forward lookup on the host that we can't reverse lookup on
>
> 4. Reverse lookup fails against localhost
>
> 5. Reverse lookup succeeds against forward server 1
>
> 6. Reverse lookup succeeds against forward server 2
>
> So... if I am set to always forward, and I don't host this domain (or a parent of it), and I can lookup the server on my forwarded domains,
>
> Then... why can't that query get forwarded properly according to my forwarding settings ?
>
> 1. ===========================
> [root at dc2-ipa-dev-van ~]# ipa dnsconfig-show
> Global forwarders: 10.21.0.15, 10.21.0.14
> Forward policy: only
> Allow PTR sync: TRUE
> 2. ===========================
> [root at dc2-ipa-dev-van ~]# nslookup
>> dc2-ipa-dev-van.dev-mydomain.net
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Name: dc2-ipa-dev-van.dev-mydomain.net
> Address: 10.21.0.98
> 3. ===========================
>> officedc2.office.mydomain.net
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> Name: officedc2.office.mydomain.net
> Address: 10.6.60.6
> 4. ===========================
>> 10.6.60.6
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> ** server can't find 6.60.6.10.in-addr.arpa: NXDOMAIN
> 5. ===========================
>> server 10.21.0.14
> Default server: 10.21.0.14
> Address: 10.21.0.14#53
>> 10.6.60.6
> Server: 10.21.0.14
> Address: 10.21.0.14#53
>
> Non-authoritative answer:
> 6.60.6.10.in-addr.arpa name = officedc2.office.mydomain.net.
>
> Authoritative answers can be found from:
> 6. ===========================
>> server 10.21.0.15
> Default server: 10.21.0.15
> Address: 10.21.0.15#53
>> 10.6.60.6
> Server: 10.21.0.15
> Address: 10.21.0.15#53
>
> Non-authoritative answer:
> 6.60.6.10.in-addr.arpa name = officedc2.office.mydomain.net.
>
> Authoritative answers can be found from:
Hello,
I suspect that you hit an an deficiency in bind-dyndb-ldap:
https://fedorahosted.org/bind-dyndb-ldap/ticket/160
I'm working on a fix but it is not ready yet.
Workaround is to add following line to named.conf on all IPA servers:
disable-empty-zone "10.in-addr.arpa.";
Please confirm that it works for you.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list