[Freeipa-users] SRV (mixed?) records

lejeczek peljasz at yahoo.co.uk
Wed Nov 9 15:57:15 UTC 2016 


On 09/11/16 14:35, Martin Basti wrote:
>
>
> On 09.11.2016 15:33, lejeczek wrote:
>>
>>
>> On 09/11/16 13:48, Martin Basti wrote:
>>>
>>>
>>> On 09.11.2016 14:11, lejeczek wrote:
>>>>
>>>>
>>>> On 09/11/16 12:43, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 09.11.2016 12:15, lejeczek wrote:
>>>>>>
>>>>>>
>>>>>> On 08/11/16 19:37, Martin Basti wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 08.11.2016 19:41, lejeczek wrote:
>>>>>>>> hi everyone
>>>>>>>> when I look at my domain I see something which 
>>>>>>>> seems inconsistent to me (eg. work5 is not part of 
>>>>>>>> the domain, was --uninstalled)
>>>>>>>> Do these record need fixing?
>>>>>>>> I'm asking becuase one of the servers, despite the 
>>>>>>>> fact the ipa dns related toolkit(on that server) 
>>>>>>>> shows zone & records, to dig/host/etc. presents 
>>>>>>>> nothing, empty responses!??
>>>>>>>>
>>>>>>>> $ ipa dnsrecord-find xx.xx.xx.xx.x.
>>>>>>>>   Record name: @
>>>>>>>>   NS record: swir.xx.xx.xx.xx.x., 
>>>>>>>> rider.xx.xx.xx.xx.x.,
>>>>>>>>              dzien.xx.xx.xx.xx.x., 
>>>>>>>> whale.xx.xx.xx.xx.x.
>>>>>>>>
>>>>>>>>   Record name: _kerberos
>>>>>>>>   TXT record: .xx.xx..xx.xx.x
>>>>>>>>
>>>>>>>>   Record name: 
>>>>>>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs 
>>>>>>>>
>>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>
>>>>>>>>   Record name: 
>>>>>>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>>
>>>>>>>>   Record name: 
>>>>>>>> _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs 
>>>>>>>>
>>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>
>>>>>>>>   Record name: _kerberos._tcp.dc._msdcs
>>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>
>>>>>>>>   Record name: _ldap._tcp.dc._msdcs
>>>>>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>>
>>>>>>>>   Record name: _kerberos._udp.dc._msdcs
>>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>
>>>>>>>>   Record name: _kerberos._tcp
>>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
>>>>>>>> 88 rider, 0 100 88 swir
>>>>>>>>
>>>>>>>>   Record name: _kerberos-master._tcp
>>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
>>>>>>>> 88 rider, 0 100 88 swir
>>>>>>>>
>>>>>>>>   Record name: _kpasswd._tcp
>>>>>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 
>>>>>>>> 100 464 dzien, 0 100 464 whale
>>>>>>>>
>>>>>>>>   Record name: _ldap._tcp
>>>>>>>>   SRV record: 0 100 389 swir, 0 100 389 dzien, 0 
>>>>>>>> 100 389 whale, 0 100 389 rider
>>>>>>>>
>>>>>>>>   Record name: _kerberos._udp
>>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
>>>>>>>> 88 rider, 0 100 88 swir
>>>>>>>>
>>>>>>>>   Record name: _kerberos-master._udp
>>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
>>>>>>>> 88 rider, 0 100 88 swir
>>>>>>>>
>>>>>>>>   Record name: _kpasswd._udp
>>>>>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 
>>>>>>>> 100 464 dzien, 0 100 464 whale
>>>>>>>>
>>>>>>>>   Record name: _ntp._udp
>>>>>>>>   SRV record: 0 100 123 dzien, 0 100 123 rider, 0 
>>>>>>>> 100 123 whale, 0 100 123 swir
>>>>>>>>
>>>>>>>> thanks.
>>>>>>>> L.
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> if server work5 is uninstalled, then work5 SRV 
>>>>>>> records should be removed.
>>>>>>>
>>>>>>> Martin
>>>>>>
>>>>>> Martin, would you be able suggest a way to 
>>>>>> troubleshoot that problem that one (only) server 
>>>>>> (rider) seems to present no data for the whole 
>>>>>> domain? Remaining servers correctly respond to any 
>>>>>> queries. One curious thing is that I $rndc trace 6; 
>>>>>> and (I see debug level changed in journalctl) I do 
>>>>>> not see anything in the logs when I query.
>>>>>> Zone allows any to query it.
>>>>>>
>>>>>>
>>>>>
>>>>> What dig @rider  command returns for SRV queries?
>>>>>
>>>> don't mind SRV records for now, it returns no record at 
>>>> all, it forwards and caches but not for the domain itself.
>>>> on rider (suffice I point to other member server and 
>>>> records are there)
>>>>
>>>> $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100
>>>>
>>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any 
>>>> .xx.xx..xx.xx.x. @10.5.6.100
>>>> ;; global options: +cmd
>>>> ;; Sending:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
>>>> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, 
>>>> ADDITIONAL: 1
>>>>
>>>> ;; OPT PSEUDOSECTION:
>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>> ;; QUESTION SECTION:
>>>> ;.xx.xx..xx.xx.x. IN ANY
>>>>
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
>>>> ADDITIONAL: 1
>>>>
>>>> ;; OPT PSEUDOSECTION:
>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>> ;; QUESTION SECTION:
>>>> ;.xx.xx..xx.xx.x. IN ANY
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
>>>> hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600
>>>>
>>>> ;; Query time: 5 msec
>>>> ;; SERVER: 10.5.6.100#53(10.5.6.100)
>>>> ;; WHEN: Wed Nov 09 12:56:16 GMT 2016
>>>> ;; MSG SIZE  rcvd: 120
>>>>
>>>> I obfuscated FQDNs but it seems like it forwards to a 
>>>> parent domain (to which it's supposed, by dnsforwardzone)
>>>> And like I mentioned earlier, I do dnszone-find, etc. 
>>>> (on rider) it's all there.
>>>>
>>>>
>>>>
>>>
>>> I'm lost now, I don't understand you, you told me that 
>>> resolving on 'rider' server doesn't work, then you write 
>>> me that it is expected because you have fowardzone set, 
>>> but you cannot have forwardzone and master zone for the 
>>> same domain, IPA doesn't allow it, so I have no idea 
>>> what is not working for you. (You didn't make it easier 
>>> by obfuscating output)
>>>
>>> Martin
>>
>> no no, sorry, I mean - it forwards whereas is should be 
>> authoritative for it's own FQDN.
>> I realize it is not obvious after I obfuscated the 
>> output, but here:
>>
>> ;; AUTHORITY SECTION:
>> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
>> hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600
>>
>> this looks like the only domain with is dnsforwardzone, 
>> everything else is dnszone
>>
>> parent.xx.xx. - is the only forward
>> private.my.parent.xx.xx - it is IPA domain & dnszone
>>
>> I query private.my.parent.xx.xx and I get response as above.
>
> Do you have proper zone delegation from parent zone? NS 
> and A glue records?

no, I don't have any dealings with "parent" domain, I 
forward to there so only those queries could go directly to 
NSes instead of to ROOTs.
I do not really on that "parent" - I call it parent for only 
"logistically/visually" it appears as parent.
>
> How your named.conf looks?

Exactly the same as on the other three servers(IPA 
generated), I diffed it, only these are (respectively) 
different: fake_mname, sasl_user
I think that one server simply forwards (to that 
dnsforwardzone) as if it had not any own zones, but why?? 
Would it be in the LDAP?

>
> Martin

More information about the Freeipa-users mailing list