[Freeipa-users] DNSSEC A, AAAA Records
Martin Basti
mbasti at redhat.com
Fri Jun 10 16:23:34 UTC 2016
On 10.06.2016 18:14, Günther J. Niederwimmer wrote:
> Am Freitag, 10. Juni 2016, 18:01:32 CEST schrieb Martin Basti:
>> On 10.06.2016 17:33, Günther J. Niederwimmer wrote:
>>> Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek:
>>>> On 10.6.2016 14:21, Günther J. Niederwimmer wrote:
>>>>> Hello,
>>>>>
>>>>> Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti:
>>>>>> On 10.06.2016 09:09, Günther J. Niederwimmer wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> can any help me to clear a question for DNSSEC, NSEC3
>>>>>>>
>>>>>>> I have a domain created with bind and DNSSEC and NSEC3 I test this
>>>>>>> Domain
>>>>>>> and other, not my Domain with
>>>>>>>
>>>>>>> http://dnsviz.net/d/esslmaier.at/dnssec/
>>>>>>>
>>>>>>> This site from Verisign tell me, I have all Secure and also the A,
>>>>>>> AAAA
>>>>>>> Records
>>>>>>>
>>>>>>> FreeIPA 4.3.1 Centos 7.2
>>>>> I mean with the FreeIPA 4.2 I have A or AAAA Records but one from the
>>>>> list
>>>>> tell me 4.3.1 is the better version for DNSSEC ?
>>>>>
>>>>>>> But when I test my IPA created domain
>>>>>>> http://dnsviz.net/d/4gjn.com/dnssec/
>>>>>>>
>>>>>>> I miss the A, AAAA Records
>>>>>>>
>>>>>>> can this be correct ?
>>>>>>>
>>>>>>> Thanks for a answer
>>>>>> Hello,
>>>>>> do you have configured A and AAAA records in zone apex of '4gjn.com'?
>>>>> Yes I have configured A AAAA Records, but something is wrong with the
>>>>> Zone
>>>>> File ? when I look on my secondary DNS this is a PDNS then I found total
>>>>> different entry for esslmaier.at and my 4gjn.com.
>>>>>
>>>>>> I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig
>>>>>> +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records.
>>>>> Yes I wrote this before but I have no answer, what I can do :-(.
>>>>>
>>>>>> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ?
>>>>> this is all !!!
>>>>>
>>>>> [root at ipa ~]# ipa dnsrecord-show 4gjn.com. @
>>>>>
>>>>> Datensatzname: @
>>>>> MX record: 10 smtp.4gjn.com.
>>>>> NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net.,
>>>>>
>>>>> ns1.gratisdns.dk.
>>>>>
>>>>> TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28
>>> ip6:2001:470:6f:
>>>>> 8f1::223
>>>>>
>>>>> ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all"
>>>>>
>>>>> ipa dnsrecord-show 4gjn.com. AAAA
>>>>>
>>>>> ipa: ERROR: AAAA: DNS resource record nicht gefunden
>>>>>
>>>>> Is this a LDAP Problem ?
>>>> Apparently you do not have any A/AAAA records defined in IPA. Add some
>>>> and
>>>> you will see :-)
>>> NO ;-( I have configurede all my server with A and AAAA Records ?
>> But your server name is not '4gjn.com', but 'ipa.4gjn.com'. The second
>> one contains A/AAAA records.
>>
>> 4gjn.com AFAIK is your IPA domain, so it should not contain A/AAAA
>> records by default, unless you manually added them there.
> When I make a ipa dnsrecord-show
>
> I miss the RRSIG Record ?
>
> ipa dnsrecord-show
> Datensatzname: ipa
> Zonenname: 4gjn.com
> Datensatzname: ipa
> A record: 89.26.XXX.6
> AAAA record: 2001:470:6f:XXX::204
> SSHFP record: 1 1 96CEB1FC971F7916A37D7327DEBD97FAE0B19CDE, 3 2
> 59ED122BF99D4B149A17B159EF18A277DC0001BE66C14BBDDBF108FB
> 05763604, 1 2
> 537DEA114D6232F6698D3B8B940091AE8AE159146764B073B8B77755
> 8E8789A0, 3 1
> 02614298C6F2CCF1F2F9BF8FA8A3267589E1FE1B
>
RRSIG records are not stored in LDAP, they are dynamically generated on
named server for each record, so ipa commands cannot show them, you must use
dig +dnssec @ipaserveraddress ipa.4gjn.com. A
Martin
>
>>>> Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get
>>>> for
>>>> DNSSEC. There is many bugs in older versions.
>>> I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found
>>> 4.3.2
>>>
>>> I have this Repo
>>>
>>> group_freeipa-freeipa-4-3-centos-7-epel-7.repo
>
>
More information about the Freeipa-users
mailing list