[Freeipa-users] Error with DNS forwarding on replica.

Nuno Higgs ipa at border.nuneshiggs.com
Tue Jun 14 15:29:29 UTC 2016 

Hello,

I am running CentOS7:

ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64

I configured my dos forward when i did the install process of the secondary node of IPA:

[root at slave ~]#  ipa-replica-install --setup-ca --setup-dns --forwarder  10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg

Thanks,
Nuno

> On 14 Jun 2016, at 15:28, Petr Spacek <pspacek at redhat.com> wrote:
> 
> On 14.6.2016 13:01, Nuno Higgs wrote:
>> Hello,
>> 
>> Found it:
>> 
>> It appears that my forwarder is NOT DNSSEC happy:
>> 
>> in:  /var/named/data/named.run
>> 
>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
>> 
>> So, i changed the /etc/named.conf 
>> 
>> from:
>> 
>> 	dnssec-enable yes;
>> 	dnssec-validation yes;
>> 
>> to:
>> 
>> 	dnssec-enable yes;
>> 	dnssec-validation no;
>> 
>> Everything is working fine now.
> 
> Okay, it explains a lot.
> 
> Please note that configuration "dnssec-validation no;" lowers security bar for
> attackers and is strongly discouraged!
> 
> The issue is most likely caused by non-compliant forwarder which mangles DNS
> data somehow before they reach your IPA DNS server.
> 
> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is
> configured with its equivalent of "dnssec-enable yes;". I strongly recommend
> returning back to "dnssec-validation yes;" after fixing the forwarder config.
> 
> IPA 4.3 or newer should print a warning about such broken forwarders whenever
> you try to configure them using IPA commands.
> 
> What version of IPA do you use?
> 
> How did you configure the forwarder in IPA?
> 
> Petr^2 Spacek
> 
>> 
>> Thanks for your help!
>> Nuno
>> 
>>> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
>>> 
>>> Hello again,
>>> 
>>> [root at ipa01 ~]# kinit user
>>> Password for user at DOMAIN.LOCAL:
>>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
>>> Zone name: domain.eu.
>>> Active zone: TRUE
>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>> Forward policy: only
>>> [root at ipa01 ~]#
>>> 
>>> 
>>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
>>> Zone name: domain.eu.
>>> Active zone: TRUE
>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>> Forward policy: only
>>> [root at ipa02 ~]#
>>> 
>>> On both servers the return is the same.
>>> I haven't touched the DNS config besides deleting the zone and recreating
>>> it.
>>> 
>>> I am at a loss. What can be the issue here?
>>> 
>>> Thanks,
>>> Nuno
>>> 
>>> 
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>> Sent: segunda-feira, 13 de junho de 2016 06:50
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>>> 
>>> On 12.6.2016 20:47, Nuno Higgs wrote:
>>>> Hello all,
>>>> 
>>>> 
>>>> 
>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to 
>>>> geographic replication.
>>>> 
>>>> 
>>>> 
>>>> I have added it as stated in the documentation here:
>>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>>>> x/7/ht 
>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>>>> replic
>>>> a.html#replica-install-with-dns>
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>>>> /7/htm 
>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>>>> eplica
>>>> .html#replica-install-with-dns
>>>> 
>>>> 
>>>> 
>>>> All was replicated correctly, and i can do a kinit user at DOMAIN with 
>>>> success within the replica.
>>>> 
>>>> However there is a problem with the DNS sections:
>>>> 
>>>> 
>>>> 
>>>> Although it DNS is ok, my configuration within IPA on the first server 
>>>> regarding DNS zones that are set on forward only are not.
>>>> 
>>>> In my first server, i can do a forward of domain - let's say 
>>>> <http://domain.eu> domain.eu. On the second server (replica) the 
>>>> forward is shown configured correctly within the webgui but it does 
>>>> not work, giving a NX error on query  <http://www.domain.eu> 
>>>> www.domain.eu (the A Record exists and is shown on the first server). 
>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
>>> isn't a network permissions issue.
>>>> 
>>>> 
>>>> 
>>>> I have deleted the zone on the master (and replica), and recreated it. 
>>>> On the first server, it worked fine. On the replica the problem persisted.
>>>> 
>>>> 
>>>> 
>>>> Am I missing anything? Is there a undocumented trick, or have i missed 
>>>> something?
>>> 
>>> Hello,
>>> 
>>> it could be either a DNS configuration problem or a LDAP replication
>>> problem.
>>> 
>>> Please show us output from command:
>>> $ ipa dnsforwardzone-show domain.eu
>>> from all IPA servers you have.
>>> 
>>> The output should be the same. If it is not the same then you are most
>>> likely facing an replication problem, please see
>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues
>>> 
>>> --
>>> Petr^2 Spacek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/0132dffd/attachment.htm>

More information about the Freeipa-users mailing list