[Freeipa-users] Error with DNS forwarding on replica.
Petr Spacek
pspacek at redhat.com
Tue Jun 14 14:28:38 UTC 2016
On 14.6.2016 13:01, Nuno Higgs wrote:
> Hello,
>
> Found it:
>
> It appears that my forwarder is NOT DNSSEC happy:
>
> in: /var/named/data/named.run
>
> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
>
> So, i changed the /etc/named.conf
>
> from:
>
> dnssec-enable yes;
> dnssec-validation yes;
>
> to:
>
> dnssec-enable yes;
> dnssec-validation no;
>
> Everything is working fine now.
Okay, it explains a lot.
Please note that configuration "dnssec-validation no;" lowers security bar for
attackers and is strongly discouraged!
The issue is most likely caused by non-compliant forwarder which mangles DNS
data somehow before they reach your IPA DNS server.
I would recommend you to check DNS forwarder on 10.0.157.35 and see it is
configured with its equivalent of "dnssec-enable yes;". I strongly recommend
returning back to "dnssec-validation yes;" after fixing the forwarder config.
IPA 4.3 or newer should print a warning about such broken forwarders whenever
you try to configure them using IPA commands.
What version of IPA do you use?
How did you configure the forwarder in IPA?
Petr^2 Spacek
>
> Thanks for your help!
> Nuno
>
>> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
>>
>> Hello again,
>>
>> [root at ipa01 ~]# kinit user
>> Password for user at DOMAIN.LOCAL:
>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
>> Zone name: domain.eu.
>> Active zone: TRUE
>> Zone forwarders: 194.65.3.20 195.65.3.21
>> Forward policy: only
>> [root at ipa01 ~]#
>>
>>
>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
>> Zone name: domain.eu.
>> Active zone: TRUE
>> Zone forwarders: 194.65.3.20 195.65.3.21
>> Forward policy: only
>> [root at ipa02 ~]#
>>
>> On both servers the return is the same.
>> I haven't touched the DNS config besides deleting the zone and recreating
>> it.
>>
>> I am at a loss. What can be the issue here?
>>
>> Thanks,
>> Nuno
>>
>>
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>> Sent: segunda-feira, 13 de junho de 2016 06:50
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>>
>> On 12.6.2016 20:47, Nuno Higgs wrote:
>>> Hello all,
>>>
>>>
>>>
>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to
>>> geographic replication.
>>>
>>>
>>>
>>> I have added it as stated in the documentation here:
>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>>> x/7/ht
>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>>> replic
>>> a.html#replica-install-with-dns>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>>> /7/htm
>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>>> eplica
>>> .html#replica-install-with-dns
>>>
>>>
>>>
>>> All was replicated correctly, and i can do a kinit user at DOMAIN with
>>> success within the replica.
>>>
>>> However there is a problem with the DNS sections:
>>>
>>>
>>>
>>> Although it DNS is ok, my configuration within IPA on the first server
>>> regarding DNS zones that are set on forward only are not.
>>>
>>> In my first server, i can do a forward of domain - let's say
>>> <http://domain.eu> domain.eu. On the second server (replica) the
>>> forward is shown configured correctly within the webgui but it does
>>> not work, giving a NX error on query <http://www.domain.eu>
>>> www.domain.eu (the A Record exists and is shown on the first server).
>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
>> isn't a network permissions issue.
>>>
>>>
>>>
>>> I have deleted the zone on the master (and replica), and recreated it.
>>> On the first server, it worked fine. On the replica the problem persisted.
>>>
>>>
>>>
>>> Am I missing anything? Is there a undocumented trick, or have i missed
>>> something?
>>
>> Hello,
>>
>> it could be either a DNS configuration problem or a LDAP replication
>> problem.
>>
>> Please show us output from command:
>> $ ipa dnsforwardzone-show domain.eu
>> from all IPA servers you have.
>>
>> The output should be the same. If it is not the same then you are most
>> likely facing an replication problem, please see
>> http://www.freeipa.org/page/Troubleshooting#Replication_issues
>>
>> --
>> Petr^2 Spacek
More information about the Freeipa-users
mailing list