[Freeipa-users] Error with DNS forwarding on replica.

Wed Jun 15 07:37:05 UTC 2016

Hello Petr,

[root at slave ~]# cat  /var/log/ipareplica-install.log | grep -i DNSSEC | grep -i not | grep -i support

It’s empty.

Thanks
Nuno

> On 15 Jun 2016, at 07:45, Petr Spacek <pspacek at redhat.com> wrote:
> 
> On 14.6.2016 17:29, Nuno Higgs wrote:
>> Hello,
>> 
>> I am running CentOS7:
>> 
>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>> 
>> I configured my dos forward when i did the install process of the secondary node of IPA:
>> 
>> [root at slave ~]#  ipa-replica-install --setup-ca --setup-dns --forwarder  10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg
> 
> Interesting, 4.2.0 should checks to detect this problem.
> 
> Could you check /var/log/ipareplica-install.log for warnings related to DNSSEC?
> 
> It should be something like
> "DNS server <IP address> does not support DNSSEC"
> 
> Thanks.
> 
> Petr^2 Spacek
> 
> 
>> 
>> Thanks,
>> Nuno
>> 
>>> On 14 Jun 2016, at 15:28, Petr Spacek <pspacek at redhat.com> wrote:
>>> 
>>> On 14.6.2016 13:01, Nuno Higgs wrote:
>>>> Hello,
>>>> 
>>>> Found it:
>>>> 
>>>> It appears that my forwarder is NOT DNSSEC happy:
>>>> 
>>>> in:  /var/named/data/named.run
>>>> 
>>>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure
>>>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53
>>>> 
>>>> So, i changed the /etc/named.conf 
>>>> 
>>>> from:
>>>> 
>>>> 	dnssec-enable yes;
>>>> 	dnssec-validation yes;
>>>> 
>>>> to:
>>>> 
>>>> 	dnssec-enable yes;
>>>> 	dnssec-validation no;
>>>> 
>>>> Everything is working fine now.
>>> 
>>> Okay, it explains a lot.
>>> 
>>> Please note that configuration "dnssec-validation no;" lowers security bar for
>>> attackers and is strongly discouraged!
>>> 
>>> The issue is most likely caused by non-compliant forwarder which mangles DNS
>>> data somehow before they reach your IPA DNS server.
>>> 
>>> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is
>>> configured with its equivalent of "dnssec-enable yes;". I strongly recommend
>>> returning back to "dnssec-validation yes;" after fixing the forwarder config.
>>> 
>>> IPA 4.3 or newer should print a warning about such broken forwarders whenever
>>> you try to configure them using IPA commands.
>>> 
>>> What version of IPA do you use?
>>> 
>>> How did you configure the forwarder in IPA?
>>> 
>>> Petr^2 Spacek
>>> 
>>>> 
>>>> Thanks for your help!
>>>> Nuno
>>>> 
>>>>> On 13 Jun 2016, at 10:14, Nuno Higgs <ipa at border.nuneshiggs.com> wrote:
>>>>> 
>>>>> Hello again,
>>>>> 
>>>>> [root at ipa01 ~]# kinit user
>>>>> Password for user at DOMAIN.LOCAL:
>>>>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu
>>>>> Zone name: domain.eu.
>>>>> Active zone: TRUE
>>>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>>>> Forward policy: only
>>>>> [root at ipa01 ~]#
>>>>> 
>>>>> 
>>>>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu
>>>>> Zone name: domain.eu.
>>>>> Active zone: TRUE
>>>>> Zone forwarders: 194.65.3.20 195.65.3.21
>>>>> Forward policy: only
>>>>> [root at ipa02 ~]#
>>>>> 
>>>>> On both servers the return is the same.
>>>>> I haven't touched the DNS config besides deleting the zone and recreating
>>>>> it.
>>>>> 
>>>>> I am at a loss. What can be the issue here?
>>>>> 
>>>>> Thanks,
>>>>> Nuno
>>>>> 
>>>>> 
>>>>> -----Original Message-----
>>>>> From: freeipa-users-bounces at redhat.com
>>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>>>> Sent: segunda-feira, 13 de junho de 2016 06:50
>>>>> To: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.
>>>>> 
>>>>> On 12.6.2016 20:47, Nuno Higgs wrote:
>>>>>> Hello all,
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to 
>>>>>> geographic replication.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> I have added it as stated in the documentation here:
>>>>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
>>>>>> x/7/ht 
>>>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-
>>>>>> replic
>>>>>> a.html#replica-install-with-dns>
>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
>>>>>> /7/htm 
>>>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r
>>>>>> eplica
>>>>>> .html#replica-install-with-dns
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> All was replicated correctly, and i can do a kinit user at DOMAIN with 
>>>>>> success within the replica.
>>>>>> 
>>>>>> However there is a problem with the DNS sections:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Although it DNS is ok, my configuration within IPA on the first server 
>>>>>> regarding DNS zones that are set on forward only are not.
>>>>>> 
>>>>>> In my first server, i can do a forward of domain - let's say 
>>>>>> <http://domain.eu> domain.eu. On the second server (replica) the 
>>>>>> forward is shown configured correctly within the webgui but it does 
>>>>>> not work, giving a NX error on query  <http://www.domain.eu> 
>>>>>> www.domain.eu (the A Record exists and is shown on the first server). 
>>>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it
>>>>> isn't a network permissions issue.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> I have deleted the zone on the master (and replica), and recreated it. 
>>>>>> On the first server, it worked fine. On the replica the problem persisted.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Am I missing anything? Is there a undocumented trick, or have i missed 
>>>>>> something?
>>>>> 
>>>>> Hello,
>>>>> 
>>>>> it could be either a DNS configuration problem or a LDAP replication
>>>>> problem.
>>>>> 
>>>>> Please show us output from command:
>>>>> $ ipa dnsforwardzone-show domain.eu
>>>>> from all IPA servers you have.
>>>>> 
>>>>> The output should be the same. If it is not the same then you are most
>>>>> likely facing an replication problem, please see
>>>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues
>>>>> 
>>>>> --
>>>>> Petr^2 Spacek
>> 
>> 
> 
> 
> -- 
> Petr Spacek  @  Red Hat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160615/b19561f1/attachment.htm>