[Freeipa-users] Error with DNS forwarding on replica.
Nuno Higgs
ipa at border.nuneshiggs.com
Wed Jun 15 07:37:05 UTC 2016
Hello Petr,
[root at slave ~]# cat /var/log/ipareplica-install.log | grep -i DNSSEC | grep -i not | grep -i support
It’s empty.
Thanks
Nuno
> On 15 Jun 2016, at 07:45, Petr Spacek <pspacek at redhat.com> wrote:
>
> On 14.6.2016 17:29, Nuno Higgs wrote:
>> Hello,
>>
>> I am running CentOS7:
>>
>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>
>> I configured my dos forward when i did the install process of the secondary node of IPA:
>>
>> [root at slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg
>
> Interesting, 4.2.0 should checks to detect this problem.
>
> Could you check /var/log/ipareplica-install.log for warnings related to DNSSEC?
>
> It should be something like
> "DNS server <IP address> does not support DNSSEC"
>
> Thanks.
>
> Petr^2 Spacek
>
>
>>
>> Thanks,
>> Nuno
>>
>>> On 14 Jun 2016, at 15:28, Petr Spacek <pspacek at redhat.com> wrote:
>>>
>>> On 14.6.2016 13:01, Nuno Higgs wrote:
>>>> Hello,
>>>>
>>>> Found it:
>>>>
>>>> It appears that my forwarder is NOT DNSSEC happy:
>>>>
>>>> in: /var/named/data/named.run
>>>>
>>>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
>>>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
>>>>
>>>> So, i changed the /etc/named.conf
>>>>
>>>> from:
>>>>
>>>> dnssec-enable yes;
>>>> dnssec-validation yes;
>>>>
>>>> to:
>>>>
>>>> dnssec-enable yes;
>>>> dnssec-validation no;
>>>>
>>>> Everything is working fine now.
>>>
>>> Okay, it explains a lot.
>>>
>>> Please note that configuration "dnssec-validation no;" lowers security bar for
>>> attackers and is strongly discouraged!
>>>
>>> The issue is most likely caused by non-compliant forwarder which mangles DNS
>>> data somehow before they reach your IPA DNS server.
>>>
>>> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is
>>> configured with its equivalent of "dnssec-enable yes;". I strongly recommend
>>> returning back to "dnssec-validation yes;" after fixing the forwarder config.
>>>
>>> IPA 4.3 or newer should print a warning about such broken forwarders whenever
>>> you try to configure them using IPA commands.
>>>
>>> What version of IPA do you use?
>>>
>>> How did you configure the forwarder in IPA?
>>>
>>> Petr^2 Spacek
>>>
>>>>
>>>> Thanks for your help!
>>>> Nuno
>>>>
>>>>> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
>>>>>
>>>>> Hello again,
>>>>>
>>>>> [root at ipa01 ~]# kinit user
>>>>> Password for user at DOMAIN.LOCAL:
>>>>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
>>>>> Zone name: domain.eu.
>>>>> Active zone: TRUE
>>>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>>>> Forward policy: only
>>>>> [root at ipa01 ~]#
>>>>>
>>>>>
>>>>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
>>>>> Zone name: domain.eu.
>>>>> Active zone: TRUE
>>>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>>>> Forward policy: only
>>>>> [root at ipa02 ~]#
>>>>>
>>>>> On both servers the return is the same.
>>>>> I haven't touched the DNS config besides deleting the zone and recreating
>>>>> it.
>>>>>
>>>>> I am at a loss. What can be the issue here?
>>>>>
>>>>> Thanks,
>>>>> Nuno
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: freeipa-users-bounces at redhat.com
>>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>>>> Sent: segunda-feira, 13 de junho de 2016 06:50
>>>>> To: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>>>>>
>>>>> On 12.6.2016 20:47, Nuno Higgs wrote:
>>>>>> Hello all,
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to
>>>>>> geographic replication.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have added it as stated in the documentation here:
>>>>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>>>>>> x/7/ht
>>>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>>>>>> replic
>>>>>> a.html#replica-install-with-dns>
>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>>>>>> /7/htm
>>>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>>>>>> eplica
>>>>>> .html#replica-install-with-dns
>>>>>>
>>>>>>
>>>>>>
>>>>>> All was replicated correctly, and i can do a kinit user at DOMAIN with
>>>>>> success within the replica.
>>>>>>
>>>>>> However there is a problem with the DNS sections:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Although it DNS is ok, my configuration within IPA on the first server
>>>>>> regarding DNS zones that are set on forward only are not.
>>>>>>
>>>>>> In my first server, i can do a forward of domain - let's say
>>>>>> <http://domain.eu> domain.eu. On the second server (replica) the
>>>>>> forward is shown configured correctly within the webgui but it does
>>>>>> not work, giving a NX error on query <http://www.domain.eu>
>>>>>> www.domain.eu (the A Record exists and is shown on the first server).
>>>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
>>>>> isn't a network permissions issue.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have deleted the zone on the master (and replica), and recreated it.
>>>>>> On the first server, it worked fine. On the replica the problem persisted.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am I missing anything? Is there a undocumented trick, or have i missed
>>>>>> something?
>>>>>
>>>>> Hello,
>>>>>
>>>>> it could be either a DNS configuration problem or a LDAP replication
>>>>> problem.
>>>>>
>>>>> Please show us output from command:
>>>>> $ ipa dnsforwardzone-show domain.eu
>>>>> from all IPA servers you have.
>>>>>
>>>>> The output should be the same. If it is not the same then you are most
>>>>> likely facing an replication problem, please see
>>>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues
>>>>>
>>>>> --
>>>>> Petr^2 Spacek
>>
>>
>
>
> --
> Petr Spacek @ Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160615/b19561f1/attachment.htm>
More information about the Freeipa-users
mailing list