[Freeipa-users] Error with DNS forwarding on replica.

Petr Spacek pspacek at redhat.com
Tue Jun 14 14:28:38 UTC 2016 

On 14.6.2016 13:01, Nuno Higgs wrote:
> Hello,
> 
> Found it:
> 
> It appears that my forwarder is NOT DNSSEC happy:
> 
> in:  /var/named/data/named.run
> 
> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
> 
> So, i changed the /etc/named.conf 
> 
> from:
> 
> 	dnssec-enable yes;
> 	dnssec-validation yes;
> 
> to:
> 
> 	dnssec-enable yes;
> 	dnssec-validation no;
> 
> Everything is working fine now.

Okay, it explains a lot.

Please note that configuration "dnssec-validation no;" lowers security bar for
attackers and is strongly discouraged!

The issue is most likely caused by non-compliant forwarder which mangles DNS
data somehow before they reach your IPA DNS server.

I would recommend you to check DNS forwarder on 10.0.157.35 and see it is
configured with its equivalent of "dnssec-enable yes;". I strongly recommend
returning back to "dnssec-validation yes;" after fixing the forwarder config.

IPA 4.3 or newer should print a warning about such broken forwarders whenever
you try to configure them using IPA commands.

What version of IPA do you use?

How did you configure the forwarder in IPA?

Petr^2 Spacek

> 
> Thanks for your help!
> Nuno
> 
>> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
>>
>> Hello again,
>>
>> [root at ipa01 ~]# kinit user
>> Password for user at DOMAIN.LOCAL:
>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
>>  Zone name: domain.eu.
>>  Active zone: TRUE
>>  Zone forwarders: 194.65.3.20 195.65.3.21
>>  Forward policy: only
>> [root at ipa01 ~]#
>>
>>
>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
>>  Zone name: domain.eu.
>>  Active zone: TRUE
>>  Zone forwarders: 194.65.3.20 195.65.3.21
>>  Forward policy: only
>> [root at ipa02 ~]#
>>
>> On both servers the return is the same.
>> I haven't touched the DNS config besides deleting the zone and recreating
>> it.
>>
>> I am at a loss. What can be the issue here?
>>
>> Thanks,
>> Nuno
>>
>>
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>> Sent: segunda-feira, 13 de junho de 2016 06:50
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>>
>> On 12.6.2016 20:47, Nuno Higgs wrote:
>>> Hello all,
>>>
>>>
>>>
>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to 
>>> geographic replication.
>>>
>>>
>>>
>>> I have added it as stated in the documentation here:
>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>>> x/7/ht 
>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>>> replic
>>> a.html#replica-install-with-dns>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>>> /7/htm 
>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>>> eplica
>>> .html#replica-install-with-dns
>>>
>>>
>>>
>>> All was replicated correctly, and i can do a kinit user at DOMAIN with 
>>> success within the replica.
>>>
>>> However there is a problem with the DNS sections:
>>>
>>>
>>>
>>> Although it DNS is ok, my configuration within IPA on the first server 
>>> regarding DNS zones that are set on forward only are not.
>>>
>>> In my first server, i can do a forward of domain - let's say 
>>> <http://domain.eu> domain.eu. On the second server (replica) the 
>>> forward is shown configured correctly within the webgui but it does 
>>> not work, giving a NX error on query  <http://www.domain.eu> 
>>> www.domain.eu (the A Record exists and is shown on the first server). 
>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
>> isn't a network permissions issue.
>>>
>>>
>>>
>>> I have deleted the zone on the master (and replica), and recreated it. 
>>> On the first server, it worked fine. On the replica the problem persisted.
>>>
>>>
>>>
>>> Am I missing anything? Is there a undocumented trick, or have i missed 
>>> something?
>>
>> Hello,
>>
>> it could be either a DNS configuration problem or a LDAP replication
>> problem.
>>
>> Please show us output from command:
>> $ ipa dnsforwardzone-show domain.eu
>> from all IPA servers you have.
>>
>> The output should be the same. If it is not the same then you are most
>> likely facing an replication problem, please see
>> http://www.freeipa.org/page/Troubleshooting#Replication_issues
>>
>> --
>> Petr^2 Spacek

More information about the Freeipa-users mailing list