[Freeipa-users] Error with DNS forwarding on replica.
Nuno Higgs
ipa at border.nuneshiggs.com
Tue Jun 14 15:29:29 UTC 2016
Hello,
I am running CentOS7:
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
I configured my dos forward when i did the install process of the secondary node of IPA:
[root at slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg
Thanks,
Nuno
> On 14 Jun 2016, at 15:28, Petr Spacek <pspacek at redhat.com> wrote:
>
> On 14.6.2016 13:01, Nuno Higgs wrote:
>> Hello,
>>
>> Found it:
>>
>> It appears that my forwarder is NOT DNSSEC happy:
>>
>> in: /var/named/data/named.run
>>
>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
>>
>> So, i changed the /etc/named.conf
>>
>> from:
>>
>> dnssec-enable yes;
>> dnssec-validation yes;
>>
>> to:
>>
>> dnssec-enable yes;
>> dnssec-validation no;
>>
>> Everything is working fine now.
>
> Okay, it explains a lot.
>
> Please note that configuration "dnssec-validation no;" lowers security bar for
> attackers and is strongly discouraged!
>
> The issue is most likely caused by non-compliant forwarder which mangles DNS
> data somehow before they reach your IPA DNS server.
>
> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is
> configured with its equivalent of "dnssec-enable yes;". I strongly recommend
> returning back to "dnssec-validation yes;" after fixing the forwarder config.
>
> IPA 4.3 or newer should print a warning about such broken forwarders whenever
> you try to configure them using IPA commands.
>
> What version of IPA do you use?
>
> How did you configure the forwarder in IPA?
>
> Petr^2 Spacek
>
>>
>> Thanks for your help!
>> Nuno
>>
>>> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
>>>
>>> Hello again,
>>>
>>> [root at ipa01 ~]# kinit user
>>> Password for user at DOMAIN.LOCAL:
>>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
>>> Zone name: domain.eu.
>>> Active zone: TRUE
>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>> Forward policy: only
>>> [root at ipa01 ~]#
>>>
>>>
>>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
>>> Zone name: domain.eu.
>>> Active zone: TRUE
>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>> Forward policy: only
>>> [root at ipa02 ~]#
>>>
>>> On both servers the return is the same.
>>> I haven't touched the DNS config besides deleting the zone and recreating
>>> it.
>>>
>>> I am at a loss. What can be the issue here?
>>>
>>> Thanks,
>>> Nuno
>>>
>>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>> Sent: segunda-feira, 13 de junho de 2016 06:50
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>>>
>>> On 12.6.2016 20:47, Nuno Higgs wrote:
>>>> Hello all,
>>>>
>>>>
>>>>
>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to
>>>> geographic replication.
>>>>
>>>>
>>>>
>>>> I have added it as stated in the documentation here:
>>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>>>> x/7/ht
>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>>>> replic
>>>> a.html#replica-install-with-dns>
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>>>> /7/htm
>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>>>> eplica
>>>> .html#replica-install-with-dns
>>>>
>>>>
>>>>
>>>> All was replicated correctly, and i can do a kinit user at DOMAIN with
>>>> success within the replica.
>>>>
>>>> However there is a problem with the DNS sections:
>>>>
>>>>
>>>>
>>>> Although it DNS is ok, my configuration within IPA on the first server
>>>> regarding DNS zones that are set on forward only are not.
>>>>
>>>> In my first server, i can do a forward of domain - let's say
>>>> <http://domain.eu> domain.eu. On the second server (replica) the
>>>> forward is shown configured correctly within the webgui but it does
>>>> not work, giving a NX error on query <http://www.domain.eu>
>>>> www.domain.eu (the A Record exists and is shown on the first server).
>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
>>> isn't a network permissions issue.
>>>>
>>>>
>>>>
>>>> I have deleted the zone on the master (and replica), and recreated it.
>>>> On the first server, it worked fine. On the replica the problem persisted.
>>>>
>>>>
>>>>
>>>> Am I missing anything? Is there a undocumented trick, or have i missed
>>>> something?
>>>
>>> Hello,
>>>
>>> it could be either a DNS configuration problem or a LDAP replication
>>> problem.
>>>
>>> Please show us output from command:
>>> $ ipa dnsforwardzone-show domain.eu
>>> from all IPA servers you have.
>>>
>>> The output should be the same. If it is not the same then you are most
>>> likely facing an replication problem, please see
>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues
>>>
>>> --
>>> Petr^2 Spacek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/0132dffd/attachment.htm>
More information about the Freeipa-users
mailing list