[Freeipa-users] SRV (mixed?) records

Wed Nov 9 13:11:09 UTC 2016

On 09/11/16 12:43, Martin Basti wrote:
>
>
> On 09.11.2016 12:15, lejeczek wrote:
>>
>>
>> On 08/11/16 19:37, Martin Basti wrote:
>>>
>>>
>>> On 08.11.2016 19:41, lejeczek wrote:
>>>> hi everyone
>>>> when I look at my domain I see something which seems 
>>>> inconsistent to me (eg. work5 is not part of the 
>>>> domain, was --uninstalled)
>>>> Do these record need fixing?
>>>> I'm asking becuase one of the servers, despite the fact 
>>>> the ipa dns related toolkit(on that server) shows zone 
>>>> & records, to dig/host/etc. presents nothing, empty 
>>>> responses!??
>>>>
>>>> $ ipa dnsrecord-find xx.xx.xx.xx.x.
>>>>   Record name: @
>>>>   NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
>>>>              dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.
>>>>
>>>>   Record name: _kerberos
>>>>   TXT record: .xx.xx..xx.xx.x
>>>>
>>>>   Record name: 
>>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>
>>>>   Record name: 
>>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>
>>>>   Record name: 
>>>> _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>
>>>>   Record name: _kerberos._tcp.dc._msdcs
>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>
>>>>   Record name: _ldap._tcp.dc._msdcs
>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>
>>>>   Record name: _kerberos._udp.dc._msdcs
>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>
>>>>   Record name: _kerberos._tcp
>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
>>>> rider, 0 100 88 swir
>>>>
>>>>   Record name: _kerberos-master._tcp
>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
>>>> rider, 0 100 88 swir
>>>>
>>>>   Record name: _kpasswd._tcp
>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 
>>>> 464 dzien, 0 100 464 whale
>>>>
>>>>   Record name: _ldap._tcp
>>>>   SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 
>>>> 389 whale, 0 100 389 rider
>>>>
>>>>   Record name: _kerberos._udp
>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
>>>> rider, 0 100 88 swir
>>>>
>>>>   Record name: _kerberos-master._udp
>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
>>>> rider, 0 100 88 swir
>>>>
>>>>   Record name: _kpasswd._udp
>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 
>>>> 464 dzien, 0 100 464 whale
>>>>
>>>>   Record name: _ntp._udp
>>>>   SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 
>>>> 123 whale, 0 100 123 swir
>>>>
>>>> thanks.
>>>> L.
>>>>
>>>
>>>
>>> Hello,
>>>
>>> if server work5 is uninstalled, then work5 SRV records 
>>> should be removed.
>>>
>>> Martin
>>
>> Martin, would you be able suggest a way to troubleshoot 
>> that problem that one (only) server (rider) seems to 
>> present no data for the whole domain? Remaining servers 
>> correctly respond to any queries. One curious thing is 
>> that I $rndc trace 6; and (I see debug level changed in 
>> journalctl) I do not see anything in the logs when I query.
>> Zone allows any to query it.
>>
>>
>
> What dig @rider  command returns for SRV queries?
>
don't mind SRV records for now, it returns no record at all, 
it forwards and caches but not for the domain itself.
on rider (suffice I point to other member server and records 
are there)

$ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any 
.xx.xx..xx.xx.x. @10.5.6.100
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, 
ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600

;; Query time: 5 msec
;; SERVER: 10.5.6.100#53(10.5.6.100)
;; WHEN: Wed Nov 09 12:56:16 GMT 2016
;; MSG SIZE  rcvd: 120

I obfuscated FQDNs but it seems like it forwards to a parent 
domain (to which it's supposed, by dnsforwardzone)
And like I mentioned earlier, I do dnszone-find, etc. (on 
rider) it's all there.