[Freeipa-users] Error with DNS forwarding on replica.

Nuno Higgs ipa at border.nuneshiggs.com
Tue Jun 14 11:01:56 UTC 2016 

Hello,

Found it:

It appears that my forwarder is NOT DNSSEC happy:

in:  /var/named/data/named.run

validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53

So, i changed the /etc/named.conf 

from:

	dnssec-enable yes;
	dnssec-validation yes;

to:

	dnssec-enable yes;
	dnssec-validation no;

Everything is working fine now.

Thanks for your help!
Nuno

> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
> 
> Hello again,
> 
> [root at ipa01 ~]# kinit user
> Password for user at DOMAIN.LOCAL:
> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
>  Zone name: domain.eu.
>  Active zone: TRUE
>  Zone forwarders: 194.65.3.20 195.65.3.21
>  Forward policy: only
> [root at ipa01 ~]#
> 
> 
> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
>  Zone name: domain.eu.
>  Active zone: TRUE
>  Zone forwarders: 194.65.3.20 195.65.3.21
>  Forward policy: only
> [root at ipa02 ~]#
> 
> On both servers the return is the same.
> I haven't touched the DNS config besides deleting the zone and recreating
> it.
> 
> I am at a loss. What can be the issue here?
> 
> Thanks,
> Nuno
> 
> 
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
> Sent: segunda-feira, 13 de junho de 2016 06:50
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
> 
> On 12.6.2016 20:47, Nuno Higgs wrote:
>> Hello all,
>> 
>> 
>> 
>> I have a IPA server - IPA 4.2 - and i have added a new IPA to 
>> geographic replication.
>> 
>> 
>> 
>> I have added it as stated in the documentation here:
>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>> x/7/ht 
>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>> replic
>> a.html#replica-install-with-dns>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>> /7/htm 
>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>> eplica
>> .html#replica-install-with-dns
>> 
>> 
>> 
>> All was replicated correctly, and i can do a kinit user at DOMAIN with 
>> success within the replica.
>> 
>> However there is a problem with the DNS sections:
>> 
>> 
>> 
>> Although it DNS is ok, my configuration within IPA on the first server 
>> regarding DNS zones that are set on forward only are not.
>> 
>> In my first server, i can do a forward of domain - let's say 
>> <http://domain.eu> domain.eu. On the second server (replica) the 
>> forward is shown configured correctly within the webgui but it does 
>> not work, giving a NX error on query  <http://www.domain.eu> 
>> www.domain.eu (the A Record exists and is shown on the first server). 
>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
> isn't a network permissions issue.
>> 
>> 
>> 
>> I have deleted the zone on the master (and replica), and recreated it. 
>> On the first server, it worked fine. On the replica the problem persisted.
>> 
>> 
>> 
>> Am I missing anything? Is there a undocumented trick, or have i missed 
>> something?
> 
> Hello,
> 
> it could be either a DNS configuration problem or a LDAP replication
> problem.
> 
> Please show us output from command:
> $ ipa dnsforwardzone-show domain.eu
> from all IPA servers you have.
> 
> The output should be the same. If it is not the same then you are most
> likely facing an replication problem, please see
> http://www.freeipa.org/page/Troubleshooting#Replication_issues
> 
> --
> Petr^2 Spacek
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/1128621f/attachment.htm>

More information about the Freeipa-users mailing list