[Freeipa-users] SRV (mixed?) records

Wed Nov 9 14:33:13 UTC 2016

On 09/11/16 13:48, Martin Basti wrote:
>
>
> On 09.11.2016 14:11, lejeczek wrote:
>>
>>
>> On 09/11/16 12:43, Martin Basti wrote:
>>>
>>>
>>> On 09.11.2016 12:15, lejeczek wrote:
>>>>
>>>>
>>>> On 08/11/16 19:37, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 08.11.2016 19:41, lejeczek wrote:
>>>>>> hi everyone
>>>>>> when I look at my domain I see something which seems 
>>>>>> inconsistent to me (eg. work5 is not part of the 
>>>>>> domain, was --uninstalled)
>>>>>> Do these record need fixing?
>>>>>> I'm asking becuase one of the servers, despite the 
>>>>>> fact the ipa dns related toolkit(on that server) 
>>>>>> shows zone & records, to dig/host/etc. presents 
>>>>>> nothing, empty responses!??
>>>>>>
>>>>>> $ ipa dnsrecord-find xx.xx.xx.xx.x.
>>>>>>   Record name: @
>>>>>>   NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
>>>>>>              dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.
>>>>>>
>>>>>>   Record name: _kerberos
>>>>>>   TXT record: .xx.xx..xx.xx.x
>>>>>>
>>>>>>   Record name: 
>>>>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>
>>>>>>   Record name: 
>>>>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>
>>>>>>   Record name: 
>>>>>> _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>
>>>>>>   Record name: _kerberos._tcp.dc._msdcs
>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>
>>>>>>   Record name: _ldap._tcp.dc._msdcs
>>>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>
>>>>>>   Record name: _kerberos._udp.dc._msdcs
>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>
>>>>>>   Record name: _kerberos._tcp
>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
>>>>>> 88 rider, 0 100 88 swir
>>>>>>
>>>>>>   Record name: _kerberos-master._tcp
>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
>>>>>> 88 rider, 0 100 88 swir
>>>>>>
>>>>>>   Record name: _kpasswd._tcp
>>>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 
>>>>>> 464 dzien, 0 100 464 whale
>>>>>>
>>>>>>   Record name: _ldap._tcp
>>>>>>   SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 
>>>>>> 389 whale, 0 100 389 rider
>>>>>>
>>>>>>   Record name: _kerberos._udp
>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
>>>>>> 88 rider, 0 100 88 swir
>>>>>>
>>>>>>   Record name: _kerberos-master._udp
>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
>>>>>> 88 rider, 0 100 88 swir
>>>>>>
>>>>>>   Record name: _kpasswd._udp
>>>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 
>>>>>> 464 dzien, 0 100 464 whale
>>>>>>
>>>>>>   Record name: _ntp._udp
>>>>>>   SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 
>>>>>> 123 whale, 0 100 123 swir
>>>>>>
>>>>>> thanks.
>>>>>> L.
>>>>>>
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> if server work5 is uninstalled, then work5 SRV records 
>>>>> should be removed.
>>>>>
>>>>> Martin
>>>>
>>>> Martin, would you be able suggest a way to troubleshoot 
>>>> that problem that one (only) server (rider) seems to 
>>>> present no data for the whole domain? Remaining servers 
>>>> correctly respond to any queries. One curious thing is 
>>>> that I $rndc trace 6; and (I see debug level changed in 
>>>> journalctl) I do not see anything in the logs when I 
>>>> query.
>>>> Zone allows any to query it.
>>>>
>>>>
>>>
>>> What dig @rider  command returns for SRV queries?
>>>
>> don't mind SRV records for now, it returns no record at 
>> all, it forwards and caches but not for the domain itself.
>> on rider (suffice I point to other member server and 
>> records are there)
>>
>> $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any 
>> .xx.xx..xx.xx.x. @10.5.6.100
>> ;; global options: +cmd
>> ;; Sending:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
>> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, 
>> ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;.xx.xx..xx.xx.x. IN ANY
>>
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
>> ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;.xx.xx..xx.xx.x. IN ANY
>>
>> ;; AUTHORITY SECTION:
>> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
>> hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600
>>
>> ;; Query time: 5 msec
>> ;; SERVER: 10.5.6.100#53(10.5.6.100)
>> ;; WHEN: Wed Nov 09 12:56:16 GMT 2016
>> ;; MSG SIZE  rcvd: 120
>>
>> I obfuscated FQDNs but it seems like it forwards to a 
>> parent domain (to which it's supposed, by dnsforwardzone)
>> And like I mentioned earlier, I do dnszone-find, etc. (on 
>> rider) it's all there.
>>
>>
>>
>
> I'm lost now, I don't understand you, you told me that 
> resolving on 'rider' server doesn't work, then you write 
> me that it is expected because you have fowardzone set, 
> but you cannot have forwardzone and master zone for the 
> same domain, IPA doesn't allow it, so I have no idea what 
> is not working for you. (You didn't make it easier by 
> obfuscating output)
>
> Martin

no no, sorry, I mean - it forwards whereas is should be 
authoritative for it's own FQDN.
I realize it is not obvious after I obfuscated the output, 
but here:

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600

this looks like the only domain with is dnsforwardzone, 
everything else is dnszone

parent.xx.xx. - is the only forward
private.my.parent.xx.xx - it is IPA domain & dnszone

I query private.my.parent.xx.xx and I get response as above.