[Freeipa-users] dns zone forward - no valid signature found
Petr Spacek
pspacek at redhat.com
Thu Jul 7 07:09:36 UTC 2016
On 6.7.2016 16:37, lejeczek wrote:
> hi everybody
>
> I think this was working some time ago, but for while queries IPA's DNS
> forwards wound up like this:
>
> validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found
> validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit (swir.my.dom/DS)
> error (broken trust chain) resolving 'swir.my.dom/A/IN': 192.168.2.100#53
>
> dig at IPA DNS and nothing, logs:
>
> validating @0x7f85e0134880: my.dom SOA: no valid signature found
> validating @0x7f85e0134880: my.dom NSEC: no valid signature found
> validating @0x7f85e0134880: swir.my.dom NSEC: no valid signature found
> validating @0x7f85e0134880: swir.my.dom NSEC: bad cache hit (swir.my.dom/DS)
>
> I dig +dnssec directly at the receiving server and result seems normal, no
> errors.
>
> IPA's dns is not dnsseced, is this the root of the problem? Or what else might
> be?
Obfuscated domain names are making impossible to tell where the problem lies.
Try dnsviz.net or similar tool, enter domain name into it and let it diagnose
the domain for you. If DNSviz claims that the domain is correctly signed (or
not) then the problem is likely in forwarder configuration.
All forwarders used in your DNS chain have to be configured with equivalent of
named.conf option 'dnssec-enable yes;'.
I hope this helps.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list