[Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding
Dan.Finkelstein at high5games.com
Dan.Finkelstein at high5games.com
Fri Jul 15 18:45:03 UTC 2016
There was a solution: explicitly disable DNSSEC in /etc/named.conf on all IPA masters/replicas and restart the named-pkcs11 service. After that, zone forwarding worked as expected.
Thanks,
Dan
[cid:image001.jpg at 01D1DEA7.77DC3540]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
From: <freeipa-users-bounces at redhat.com> on behalf of Daniel Finkestein <Dan.Finkelstein at high5games.com>
Date: Friday, July 15, 2016 at 12:10
To: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding
To give this a little more context, I've tried this:
[root at ipa ~]# ipa dnsforwardzone-add example2.com. --forwarder=10.55.10.151 --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNSSEC validation failed: record 'example2.com. SOA' failed DNSSEC validation on server 10.55.10.31.
Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA servers.
Zone name: example2.com.
Active zone: TRUE
Zone forwarders: 10.55.10.151
Forward policy: only
We don't care about DNSSEC validation on the forwarded zone, but we do on the zones that IPA is authoritative for.
Thanks,
Dan
[cid:image002.jpg at 01D1DEA7.77DC3540]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
From: <freeipa-users-bounces at redhat.com> on behalf of Daniel Finkestein <Dan.Finkelstein at high5games.com>
Date: Friday, July 15, 2016 at 11:20
To: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding
Hi all,
I'm trying to follow the directions (and cautions) from here: http://www.freeipa.org/page/V4/Forward_zones, but when I add a new zone (example2.com) and a forwarding address and set the zone to forward-only, no records are returned for hosts like, say, testhost.example2.com. The NS record for the domain is the authoritative nameserver for the example2.com domain (which belongs to someone else), so we don't know why it doesn't return records whereas direct queries against the remote nameserver work fine.
Any help with the configuration would be appreciated.
Thanks,
Dan
[cid:image003.jpg at 01D1DEA7.77DC3540]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160715/2b970ef7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4333 bytes
Desc: image001.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160715/2b970ef7/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 4334 bytes
Desc: image002.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160715/2b970ef7/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 4335 bytes
Desc: image003.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160715/2b970ef7/attachment-0002.jpg>
More information about the Freeipa-users
mailing list