[Freeipa-users] Error with DNS forwarding on replica.
Nuno Higgs
ipa at border.nuneshiggs.com
Tue Jun 14 11:01:56 UTC 2016
Hello,
Found it:
It appears that my forwarder is NOT DNSSEC happy:
in: /var/named/data/named.run
validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
So, i changed the /etc/named.conf
from:
dnssec-enable yes;
dnssec-validation yes;
to:
dnssec-enable yes;
dnssec-validation no;
Everything is working fine now.
Thanks for your help!
Nuno
> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
>
> Hello again,
>
> [root at ipa01 ~]# kinit user
> Password for user at DOMAIN.LOCAL:
> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
> Zone name: domain.eu.
> Active zone: TRUE
> Zone forwarders: 194.65.3.20 195.65.3.21
> Forward policy: only
> [root at ipa01 ~]#
>
>
> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
> Zone name: domain.eu.
> Active zone: TRUE
> Zone forwarders: 194.65.3.20 195.65.3.21
> Forward policy: only
> [root at ipa02 ~]#
>
> On both servers the return is the same.
> I haven't touched the DNS config besides deleting the zone and recreating
> it.
>
> I am at a loss. What can be the issue here?
>
> Thanks,
> Nuno
>
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
> Sent: segunda-feira, 13 de junho de 2016 06:50
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>
> On 12.6.2016 20:47, Nuno Higgs wrote:
>> Hello all,
>>
>>
>>
>> I have a IPA server - IPA 4.2 - and i have added a new IPA to
>> geographic replication.
>>
>>
>>
>> I have added it as stated in the documentation here:
>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>> x/7/ht
>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>> replic
>> a.html#replica-install-with-dns>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>> /7/htm
>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>> eplica
>> .html#replica-install-with-dns
>>
>>
>>
>> All was replicated correctly, and i can do a kinit user at DOMAIN with
>> success within the replica.
>>
>> However there is a problem with the DNS sections:
>>
>>
>>
>> Although it DNS is ok, my configuration within IPA on the first server
>> regarding DNS zones that are set on forward only are not.
>>
>> In my first server, i can do a forward of domain - let's say
>> <http://domain.eu> domain.eu. On the second server (replica) the
>> forward is shown configured correctly within the webgui but it does
>> not work, giving a NX error on query <http://www.domain.eu>
>> www.domain.eu (the A Record exists and is shown on the first server).
>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
> isn't a network permissions issue.
>>
>>
>>
>> I have deleted the zone on the master (and replica), and recreated it.
>> On the first server, it worked fine. On the replica the problem persisted.
>>
>>
>>
>> Am I missing anything? Is there a undocumented trick, or have i missed
>> something?
>
> Hello,
>
> it could be either a DNS configuration problem or a LDAP replication
> problem.
>
> Please show us output from command:
> $ ipa dnsforwardzone-show domain.eu
> from all IPA servers you have.
>
> The output should be the same. If it is not the same then you are most
> likely facing an replication problem, please see
> http://www.freeipa.org/page/Troubleshooting#Replication_issues
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/1128621f/attachment.htm>
More information about the Freeipa-users
mailing list