[Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse lookup zones

Petr Spacek pspacek at redhat.com
Wed Jan 27 08:23:19 UTC 2016 

On 27.1.2016 02:54, Nathan Peters wrote:
> I have my FreeIPA server setup with a forward only policy for DNS.
> 
> If I perform an nslookup against either of the configured forward servers, I can do a reverse lookup properly.
> 
> If I perform the same nslookup against my local server, it will not find the entry.
> 
> I have confirmed that there are no conflicting zones or reverse zones on my FreeIPA server.
> 
> Tests below :
> 
> 1.    Show forwarding configuration
> 
> 2.    Test lookup against localhost of own domain name (prove we can find records we host as primary)
> 
> 3.    Prove we can do forward lookup on the host that we can't reverse lookup on
> 
> 4.    Reverse lookup fails against localhost
> 
> 5.    Reverse lookup succeeds against forward server 1
> 
> 6.    Reverse lookup succeeds against forward server 2
> 
> So... if I am set to always forward, and I don't host this domain (or a parent of it), and I can lookup the server on my forwarded domains,
> 
> Then... why can't that query get forwarded properly according to my forwarding settings ?
> 
> 1. ===========================
> [root at dc2-ipa-dev-van ~]# ipa dnsconfig-show
>   Global forwarders: 10.21.0.15, 10.21.0.14
>   Forward policy: only
>   Allow PTR sync: TRUE
> 2. ===========================
>   [root at dc2-ipa-dev-van ~]# nslookup
>> dc2-ipa-dev-van.dev-mydomain.net
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> 
> Name:   dc2-ipa-dev-van.dev-mydomain.net
> Address: 10.21.0.98
> 3. ===========================
>> officedc2.office.mydomain.net
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> 
> Non-authoritative answer:
> Name:   officedc2.office.mydomain.net
> Address: 10.6.60.6
> 4. ===========================
>> 10.6.60.6
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> 
> ** server can't find 6.60.6.10.in-addr.arpa: NXDOMAIN
> 5. ===========================
>> server 10.21.0.14
> Default server: 10.21.0.14
> Address: 10.21.0.14#53
>> 10.6.60.6
> Server:         10.21.0.14
> Address:        10.21.0.14#53
> 
> Non-authoritative answer:
> 6.60.6.10.in-addr.arpa  name = officedc2.office.mydomain.net.
> 
> Authoritative answers can be found from:
> 6. ===========================
>> server 10.21.0.15
> Default server: 10.21.0.15
> Address: 10.21.0.15#53
>> 10.6.60.6
> Server:         10.21.0.15
> Address:        10.21.0.15#53
> 
> Non-authoritative answer:
> 6.60.6.10.in-addr.arpa  name = officedc2.office.mydomain.net.
> 
> Authoritative answers can be found from:

Hello,

I suspect that you hit an an deficiency in bind-dyndb-ldap:
https://fedorahosted.org/bind-dyndb-ldap/ticket/160

I'm working on a fix but it is not ready yet.

Workaround is to add following line to named.conf on all IPA servers:
disable-empty-zone "10.in-addr.arpa.";

Please confirm that it works for you.

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list