[Freeipa-users] Error with DNS forwarding on replica.

Petr Spacek pspacek at redhat.com
Wed Jun 15 06:45:15 UTC 2016 

On 14.6.2016 17:29, Nuno Higgs wrote:
> Hello,
> 
> I am running CentOS7:
> 
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
> 
> I configured my dos forward when i did the install process of the secondary node of IPA:
> 
> [root at slave ~]#  ipa-replica-install --setup-ca --setup-dns --forwarder  10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg

Interesting, 4.2.0 should checks to detect this problem.

Could you check /var/log/ipareplica-install.log for warnings related to DNSSEC?

It should be something like
"DNS server <IP address> does not support DNSSEC"

Thanks.

Petr^2 Spacek


> 
> Thanks,
> Nuno
> 
>> On 14 Jun 2016, at 15:28, Petr Spacek <pspacek at redhat.com> wrote:
>>
>> On 14.6.2016 13:01, Nuno Higgs wrote:
>>> Hello,
>>>
>>> Found it:
>>>
>>> It appears that my forwarder is NOT DNSSEC happy:
>>>
>>> in:  /var/named/data/named.run
>>>
>>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
>>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
>>>
>>> So, i changed the /etc/named.conf 
>>>
>>> from:
>>>
>>> 	dnssec-enable yes;
>>> 	dnssec-validation yes;
>>>
>>> to:
>>>
>>> 	dnssec-enable yes;
>>> 	dnssec-validation no;
>>>
>>> Everything is working fine now.
>>
>> Okay, it explains a lot.
>>
>> Please note that configuration "dnssec-validation no;" lowers security bar for
>> attackers and is strongly discouraged!
>>
>> The issue is most likely caused by non-compliant forwarder which mangles DNS
>> data somehow before they reach your IPA DNS server.
>>
>> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is
>> configured with its equivalent of "dnssec-enable yes;". I strongly recommend
>> returning back to "dnssec-validation yes;" after fixing the forwarder config.
>>
>> IPA 4.3 or newer should print a warning about such broken forwarders whenever
>> you try to configure them using IPA commands.
>>
>> What version of IPA do you use?
>>
>> How did you configure the forwarder in IPA?
>>
>> Petr^2 Spacek
>>
>>>
>>> Thanks for your help!
>>> Nuno
>>>
>>>> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
>>>>
>>>> Hello again,
>>>>
>>>> [root at ipa01 ~]# kinit user
>>>> Password for user at DOMAIN.LOCAL:
>>>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
>>>> Zone name: domain.eu.
>>>> Active zone: TRUE
>>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>>> Forward policy: only
>>>> [root at ipa01 ~]#
>>>>
>>>>
>>>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
>>>> Zone name: domain.eu.
>>>> Active zone: TRUE
>>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>>> Forward policy: only
>>>> [root at ipa02 ~]#
>>>>
>>>> On both servers the return is the same.
>>>> I haven't touched the DNS config besides deleting the zone and recreating
>>>> it.
>>>>
>>>> I am at a loss. What can be the issue here?
>>>>
>>>> Thanks,
>>>> Nuno
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com
>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>>> Sent: segunda-feira, 13 de junho de 2016 06:50
>>>> To: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>>>>
>>>> On 12.6.2016 20:47, Nuno Higgs wrote:
>>>>> Hello all,
>>>>>
>>>>>
>>>>>
>>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to 
>>>>> geographic replication.
>>>>>
>>>>>
>>>>>
>>>>> I have added it as stated in the documentation here:
>>>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>>>>> x/7/ht 
>>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>>>>> replic
>>>>> a.html#replica-install-with-dns>
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>>>>> /7/htm 
>>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>>>>> eplica
>>>>> .html#replica-install-with-dns
>>>>>
>>>>>
>>>>>
>>>>> All was replicated correctly, and i can do a kinit user at DOMAIN with 
>>>>> success within the replica.
>>>>>
>>>>> However there is a problem with the DNS sections:
>>>>>
>>>>>
>>>>>
>>>>> Although it DNS is ok, my configuration within IPA on the first server 
>>>>> regarding DNS zones that are set on forward only are not.
>>>>>
>>>>> In my first server, i can do a forward of domain - let's say 
>>>>> <http://domain.eu> domain.eu. On the second server (replica) the 
>>>>> forward is shown configured correctly within the webgui but it does 
>>>>> not work, giving a NX error on query  <http://www.domain.eu> 
>>>>> www.domain.eu (the A Record exists and is shown on the first server). 
>>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
>>>> isn't a network permissions issue.
>>>>>
>>>>>
>>>>>
>>>>> I have deleted the zone on the master (and replica), and recreated it. 
>>>>> On the first server, it worked fine. On the replica the problem persisted.
>>>>>
>>>>>
>>>>>
>>>>> Am I missing anything? Is there a undocumented trick, or have i missed 
>>>>> something?
>>>>
>>>> Hello,
>>>>
>>>> it could be either a DNS configuration problem or a LDAP replication
>>>> problem.
>>>>
>>>> Please show us output from command:
>>>> $ ipa dnsforwardzone-show domain.eu
>>>> from all IPA servers you have.
>>>>
>>>> The output should be the same. If it is not the same then you are most
>>>> likely facing an replication problem, please see
>>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues
>>>>
>>>> --
>>>> Petr^2 Spacek
> 
> 


-- 
Petr Spacek  @  Red Hat

More information about the Freeipa-users mailing list