[Freeipa-users] Error with DNS forwarding on replica.

Petr Spacek pspacek at redhat.com
Thu Jul 7 14:28:52 UTC 2016 

On 15.6.2016 09:37, Nuno Higgs wrote:
> Hello Petr,
> 
> [root at slave ~]# cat  /var/log/ipareplica-install.log | grep -i DNSSEC | grep -i not | grep -i support
> 
> It’s empty.

Interesting. At this point I'm unable to say what happened to your install. If
it happens again please get back to us and we will investigate.

Petr^2 Spacek

> 
> Thanks
> Nuno
> 
>> On 15 Jun 2016, at 07:45, Petr Spacek <pspacek at redhat.com> wrote:
>>
>> On 14.6.2016 17:29, Nuno Higgs wrote:
>>> Hello,
>>>
>>> I am running CentOS7:
>>>
>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>>
>>> I configured my dos forward when i did the install process of the secondary node of IPA:
>>>
>>> [root at slave ~]#  ipa-replica-install --setup-ca --setup-dns --forwarder  10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg
>>
>> Interesting, 4.2.0 should checks to detect this problem.
>>
>> Could you check /var/log/ipareplica-install.log for warnings related to DNSSEC?
>>
>> It should be something like
>> "DNS server <IP address> does not support DNSSEC"
>>
>> Thanks.
>>
>> Petr^2 Spacek
>>
>>
>>>
>>> Thanks,
>>> Nuno
>>>
>>>> On 14 Jun 2016, at 15:28, Petr Spacek <pspacek at redhat.com> wrote:
>>>>
>>>> On 14.6.2016 13:01, Nuno Higgs wrote:
>>>>> Hello,
>>>>>
>>>>> Found it:
>>>>>
>>>>> It appears that my forwarder is NOT DNSSEC happy:
>>>>>
>>>>> in:  /var/named/data/named.run
>>>>>
>>>>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
>>>>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
>>>>>
>>>>> So, i changed the /etc/named.conf 
>>>>>
>>>>> from:
>>>>>
>>>>> 	dnssec-enable yes;
>>>>> 	dnssec-validation yes;
>>>>>
>>>>> to:
>>>>>
>>>>> 	dnssec-enable yes;
>>>>> 	dnssec-validation no;
>>>>>
>>>>> Everything is working fine now.
>>>>
>>>> Okay, it explains a lot.
>>>>
>>>> Please note that configuration "dnssec-validation no;" lowers security bar for
>>>> attackers and is strongly discouraged!
>>>>
>>>> The issue is most likely caused by non-compliant forwarder which mangles DNS
>>>> data somehow before they reach your IPA DNS server.
>>>>
>>>> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is
>>>> configured with its equivalent of "dnssec-enable yes;". I strongly recommend
>>>> returning back to "dnssec-validation yes;" after fixing the forwarder config.
>>>>
>>>> IPA 4.3 or newer should print a warning about such broken forwarders whenever
>>>> you try to configure them using IPA commands.
>>>>
>>>> What version of IPA do you use?
>>>>
>>>> How did you configure the forwarder in IPA?
>>>>
>>>> Petr^2 Spacek
>>>>
>>>>>
>>>>> Thanks for your help!
>>>>> Nuno
>>>>>
>>>>>> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
>>>>>>
>>>>>> Hello again,
>>>>>>
>>>>>> [root at ipa01 ~]# kinit user
>>>>>> Password for user at DOMAIN.LOCAL:
>>>>>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
>>>>>> Zone name: domain.eu.
>>>>>> Active zone: TRUE
>>>>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>>>>> Forward policy: only
>>>>>> [root at ipa01 ~]#
>>>>>>
>>>>>>
>>>>>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
>>>>>> Zone name: domain.eu.
>>>>>> Active zone: TRUE
>>>>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>>>>> Forward policy: only
>>>>>> [root at ipa02 ~]#
>>>>>>
>>>>>> On both servers the return is the same.
>>>>>> I haven't touched the DNS config besides deleting the zone and recreating
>>>>>> it.
>>>>>>
>>>>>> I am at a loss. What can be the issue here?
>>>>>>
>>>>>> Thanks,
>>>>>> Nuno
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: freeipa-users-bounces at redhat.com
>>>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>>>>> Sent: segunda-feira, 13 de junho de 2016 06:50
>>>>>> To: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>>>>>>
>>>>>> On 12.6.2016 20:47, Nuno Higgs wrote:
>>>>>>> Hello all,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to 
>>>>>>> geographic replication.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have added it as stated in the documentation here:
>>>>>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>>>>>>> x/7/ht 
>>>>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>>>>>>> replic
>>>>>>> a.html#replica-install-with-dns>
>>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>>>>>>> /7/htm 
>>>>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>>>>>>> eplica
>>>>>>> .html#replica-install-with-dns
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> All was replicated correctly, and i can do a kinit user at DOMAIN with 
>>>>>>> success within the replica.
>>>>>>>
>>>>>>> However there is a problem with the DNS sections:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Although it DNS is ok, my configuration within IPA on the first server 
>>>>>>> regarding DNS zones that are set on forward only are not.
>>>>>>>
>>>>>>> In my first server, i can do a forward of domain - let's say 
>>>>>>> <http://domain.eu> domain.eu. On the second server (replica) the 
>>>>>>> forward is shown configured correctly within the webgui but it does 
>>>>>>> not work, giving a NX error on query  <http://www.domain.eu> 
>>>>>>> www.domain.eu (the A Record exists and is shown on the first server). 
>>>>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
>>>>>> isn't a network permissions issue.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have deleted the zone on the master (and replica), and recreated it. 
>>>>>>> On the first server, it worked fine. On the replica the problem persisted.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Am I missing anything? Is there a undocumented trick, or have i missed 
>>>>>>> something?
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> it could be either a DNS configuration problem or a LDAP replication
>>>>>> problem.
>>>>>>
>>>>>> Please show us output from command:
>>>>>> $ ipa dnsforwardzone-show domain.eu
>>>>>> from all IPA servers you have.
>>>>>>
>>>>>> The output should be the same. If it is not the same then you are most
>>>>>> likely facing an replication problem, please see
>>>>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list