[Freeipa-users] SRV (mixed?) records

Wed Nov 9 14:35:26 UTC 2016

On 09.11.2016 15:33, lejeczek wrote:
>
>
> On 09/11/16 13:48, Martin Basti wrote:
>>
>>
>> On 09.11.2016 14:11, lejeczek wrote:
>>>
>>>
>>> On 09/11/16 12:43, Martin Basti wrote:
>>>>
>>>>
>>>> On 09.11.2016 12:15, lejeczek wrote:
>>>>>
>>>>>
>>>>> On 08/11/16 19:37, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 08.11.2016 19:41, lejeczek wrote:
>>>>>>> hi everyone
>>>>>>> when I look at my domain I see something which seems 
>>>>>>> inconsistent to me (eg. work5 is not part of the domain, was 
>>>>>>> --uninstalled)
>>>>>>> Do these record need fixing?
>>>>>>> I'm asking becuase one of the servers, despite the fact the ipa 
>>>>>>> dns related toolkit(on that server) shows zone & records, to 
>>>>>>> dig/host/etc. presents nothing, empty responses!??
>>>>>>>
>>>>>>> $ ipa dnsrecord-find xx.xx.xx.xx.x.
>>>>>>>   Record name: @
>>>>>>>   NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
>>>>>>>              dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.
>>>>>>>
>>>>>>>   Record name: _kerberos
>>>>>>>   TXT record: .xx.xx..xx.xx.x
>>>>>>>
>>>>>>>   Record name: 
>>>>>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>
>>>>>>>   Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>
>>>>>>>   Record name: 
>>>>>>> _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>
>>>>>>>   Record name: _kerberos._tcp.dc._msdcs
>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>
>>>>>>>   Record name: _ldap._tcp.dc._msdcs
>>>>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>
>>>>>>>   Record name: _kerberos._udp.dc._msdcs
>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>
>>>>>>>   Record name: _kerberos._tcp
>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
>>>>>>> 100 88 swir
>>>>>>>
>>>>>>>   Record name: _kerberos-master._tcp
>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
>>>>>>> 100 88 swir
>>>>>>>
>>>>>>>   Record name: _kpasswd._tcp
>>>>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 
>>>>>>> 0 100 464 whale
>>>>>>>
>>>>>>>   Record name: _ldap._tcp
>>>>>>>   SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 
>>>>>>> 0 100 389 rider
>>>>>>>
>>>>>>>   Record name: _kerberos._udp
>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
>>>>>>> 100 88 swir
>>>>>>>
>>>>>>>   Record name: _kerberos-master._udp
>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
>>>>>>> 100 88 swir
>>>>>>>
>>>>>>>   Record name: _kpasswd._udp
>>>>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 
>>>>>>> 0 100 464 whale
>>>>>>>
>>>>>>>   Record name: _ntp._udp
>>>>>>>   SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 
>>>>>>> 0 100 123 swir
>>>>>>>
>>>>>>> thanks.
>>>>>>> L.
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> if server work5 is uninstalled, then work5 SRV records should be 
>>>>>> removed.
>>>>>>
>>>>>> Martin
>>>>>
>>>>> Martin, would you be able suggest a way to troubleshoot that 
>>>>> problem that one (only) server (rider) seems to present no data 
>>>>> for the whole domain? Remaining servers correctly respond to any 
>>>>> queries. One curious thing is that I $rndc trace 6; and (I see 
>>>>> debug level changed in journalctl) I do not see anything in the 
>>>>> logs when I query.
>>>>> Zone allows any to query it.
>>>>>
>>>>>
>>>>
>>>> What dig @rider  command returns for SRV queries?
>>>>
>>> don't mind SRV records for now, it returns no record at all, it 
>>> forwards and caches but not for the domain itself.
>>> on rider (suffice I point to other member server and records are there)
>>>
>>> $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100
>>>
>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any 
>>> .xx.xx..xx.xx.x. @10.5.6.100
>>> ;; global options: +cmd
>>> ;; Sending:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
>>> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;.xx.xx..xx.xx.x. IN ANY
>>>
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;.xx.xx..xx.xx.x. IN ANY
>>>
>>> ;; AUTHORITY SECTION:
>>> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 
>>> 1478696070 1800 900 604800 3600
>>>
>>> ;; Query time: 5 msec
>>> ;; SERVER: 10.5.6.100#53(10.5.6.100)
>>> ;; WHEN: Wed Nov 09 12:56:16 GMT 2016
>>> ;; MSG SIZE  rcvd: 120
>>>
>>> I obfuscated FQDNs but it seems like it forwards to a parent domain 
>>> (to which it's supposed, by dnsforwardzone)
>>> And like I mentioned earlier, I do dnszone-find, etc. (on rider) 
>>> it's all there.
>>>
>>>
>>>
>>
>> I'm lost now, I don't understand you, you told me that resolving on 
>> 'rider' server doesn't work, then you write me that it is expected 
>> because you have fowardzone set, but you cannot have forwardzone and 
>> master zone for the same domain, IPA doesn't allow it, so I have no 
>> idea what is not working for you. (You didn't make it easier by 
>> obfuscating output)
>>
>> Martin
>
> no no, sorry, I mean - it forwards whereas is should be authoritative 
> for it's own FQDN.
> I realize it is not obvious after I obfuscated the output, but here:
>
> ;; AUTHORITY SECTION:
> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 
> 1478696070 1800 900 604800 3600
>
> this looks like the only domain with is dnsforwardzone, everything 
> else is dnszone
>
> parent.xx.xx. - is the only forward
> private.my.parent.xx.xx - it is IPA domain & dnszone
>
> I query private.my.parent.xx.xx and I get response as above.

Do you have proper zone delegation from parent zone? NS and A glue records?

How your named.conf looks?

Martin