[Freeipa-users] DNSSEC A, AAAA Records

Petr Spacek pspacek at redhat.com
Fri Jun 10 13:26:39 UTC 2016 

On 10.6.2016 14:21, Günther J. Niederwimmer wrote:
> Hello,
> 
> Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti:
>> On 10.06.2016 09:09, Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> can any help me to clear a question for DNSSEC, NSEC3
>>>
>>> I have a domain created with bind and DNSSEC and NSEC3 I test this Domain
>>> and other, not my Domain with
>>>
>>> http://dnsviz.net/d/esslmaier.at/dnssec/
>>>
>>> This site from Verisign tell me, I have all Secure and also the A, AAAA
>>> Records
>>>
>>> FreeIPA 4.3.1 Centos 7.2
> 
> I mean with the FreeIPA 4.2 I have A or AAAA Records but one from the list 
> tell me 4.3.1 is the better version for DNSSEC ? 
>  
>>> But when I test my IPA created domain
>>> http://dnsviz.net/d/4gjn.com/dnssec/
>>>
>>> I miss the A, AAAA Records
>>>
>>> can this be correct ?
>>>
>>> Thanks for a answer
>>
>> Hello,
>> do you have configured A and AAAA records in zone apex of '4gjn.com'?
> 
> Yes I have configured A AAAA Records, but something is wrong with the Zone File 
> ? when I look on my secondary DNS this is a PDNS then I found total different 
> entry for esslmaier.at and my 4gjn.com.
> 
>  
>> I can `dig +dnssec ipa.4gjn.com. A`  with DNSSEC results but for `dig
>> +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records.
> Yes I wrote this before but I have no answer, what I can do :-(.
>  
>> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?
> 
> this is all !!!
> 
> [root at ipa ~]# ipa dnsrecord-show 4gjn.com. @
>   Datensatzname: @
>   MX record: 10 smtp.4gjn.com.
>   NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., 
> ns1.gratisdns.dk.
>   TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 ip6:2001:470:6f:
> 8f1::223
>               ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all"
> 
>  ipa dnsrecord-show 4gjn.com. AAAA
> ipa: ERROR: AAAA: DNS resource record nicht gefunden
> 
> Is this a LDAP Problem ?

Apparently you do not have any A/AAAA records defined in IPA. Add some and you
will see :-)

Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get for
DNSSEC. There is many bugs in older versions.

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list