[Freeipa-users] SRV (mixed?) records

Petr Spacek pspacek at redhat.com
Thu Nov 10 06:51:31 UTC 2016 

On 9.11.2016 16:57, lejeczek wrote:
> 
> 
> On 09/11/16 14:35, Martin Basti wrote:
>>
>>
>> On 09.11.2016 15:33, lejeczek wrote:
>>>
>>>
>>> On 09/11/16 13:48, Martin Basti wrote:
>>>>
>>>>
>>>> On 09.11.2016 14:11, lejeczek wrote:
>>>>>
>>>>>
>>>>> On 09/11/16 12:43, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 09.11.2016 12:15, lejeczek wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 08/11/16 19:37, Martin Basti wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 08.11.2016 19:41, lejeczek wrote:
>>>>>>>>> hi everyone
>>>>>>>>> when I look at my domain I see something which seems inconsistent to
>>>>>>>>> me (eg. work5 is not part of the domain, was --uninstalled)
>>>>>>>>> Do these record need fixing?
>>>>>>>>> I'm asking becuase one of the servers, despite the fact the ipa dns
>>>>>>>>> related toolkit(on that server) shows zone & records, to
>>>>>>>>> dig/host/etc. presents nothing, empty responses!??
>>>>>>>>>
>>>>>>>>> $ ipa dnsrecord-find xx.xx.xx.xx.x.
>>>>>>>>>   Record name: @
>>>>>>>>>   NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
>>>>>>>>>              dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.
>>>>>>>>>
>>>>>>>>>   Record name: _kerberos
>>>>>>>>>   TXT record: .xx.xx..xx.xx.x
>>>>>>>>>
>>>>>>>>>   Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>
>>>>>>>>>   Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>>>
>>>>>>>>>   Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>
>>>>>>>>>   Record name: _kerberos._tcp.dc._msdcs
>>>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>
>>>>>>>>>   Record name: _ldap._tcp.dc._msdcs
>>>>>>>>>   SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>>>
>>>>>>>>>   Record name: _kerberos._udp.dc._msdcs
>>>>>>>>>   SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>
>>>>>>>>>   Record name: _kerberos._tcp
>>>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>> 88 swir
>>>>>>>>>
>>>>>>>>>   Record name: _kerberos-master._tcp
>>>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>> 88 swir
>>>>>>>>>
>>>>>>>>>   Record name: _kpasswd._tcp
>>>>>>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
>>>>>>>>> 464 whale
>>>>>>>>>
>>>>>>>>>   Record name: _ldap._tcp
>>>>>>>>>   SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100
>>>>>>>>> 389 rider
>>>>>>>>>
>>>>>>>>>   Record name: _kerberos._udp
>>>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>> 88 swir
>>>>>>>>>
>>>>>>>>>   Record name: _kerberos-master._udp
>>>>>>>>>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>> 88 swir
>>>>>>>>>
>>>>>>>>>   Record name: _kpasswd._udp
>>>>>>>>>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
>>>>>>>>> 464 whale
>>>>>>>>>
>>>>>>>>>   Record name: _ntp._udp
>>>>>>>>>   SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0
>>>>>>>>> 100 123 swir
>>>>>>>>>
>>>>>>>>> thanks.
>>>>>>>>> L.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> if server work5 is uninstalled, then work5 SRV records should be removed.
>>>>>>>>
>>>>>>>> Martin
>>>>>>>
>>>>>>> Martin, would you be able suggest a way to troubleshoot that problem
>>>>>>> that one (only) server (rider) seems to present no data for the whole
>>>>>>> domain? Remaining servers correctly respond to any queries. One curious
>>>>>>> thing is that I $rndc trace 6; and (I see debug level changed in
>>>>>>> journalctl) I do not see anything in the logs when I query.
>>>>>>> Zone allows any to query it.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> What dig @rider  command returns for SRV queries?
>>>>>>
>>>>> don't mind SRV records for now, it returns no record at all, it forwards
>>>>> and caches but not for the domain itself.
>>>>> on rider (suffice I point to other member server and records are there)
>>>>>
>>>>> $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100
>>>>>
>>>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x.
>>>>> @10.5.6.100
>>>>> ;; global options: +cmd
>>>>> ;; Sending:
>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
>>>>> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>>>
>>>>> ;; OPT PSEUDOSECTION:
>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>> ;; QUESTION SECTION:
>>>>> ;.xx.xx..xx.xx.x. IN ANY
>>>>>
>>>>> ;; Got answer:
>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
>>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>>>>
>>>>> ;; OPT PSEUDOSECTION:
>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>> ;; QUESTION SECTION:
>>>>> ;.xx.xx..xx.xx.x. IN ANY
>>>>>
>>>>> ;; AUTHORITY SECTION:
>>>>> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x.
>>>>> 1478696070 1800 900 604800 3600
>>>>>
>>>>> ;; Query time: 5 msec
>>>>> ;; SERVER: 10.5.6.100#53(10.5.6.100)
>>>>> ;; WHEN: Wed Nov 09 12:56:16 GMT 2016
>>>>> ;; MSG SIZE  rcvd: 120
>>>>>
>>>>> I obfuscated FQDNs but it seems like it forwards to a parent domain (to
>>>>> which it's supposed, by dnsforwardzone)
>>>>> And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all
>>>>> there.
>>>>>
>>>>>
>>>>>
>>>>
>>>> I'm lost now, I don't understand you, you told me that resolving on
>>>> 'rider' server doesn't work, then you write me that it is expected because
>>>> you have fowardzone set, but you cannot have forwardzone and master zone
>>>> for the same domain, IPA doesn't allow it, so I have no idea what is not
>>>> working for you. (You didn't make it easier by obfuscating output)
>>>>
>>>> Martin
>>>
>>> no no, sorry, I mean - it forwards whereas is should be authoritative for
>>> it's own FQDN.
>>> I realize it is not obvious after I obfuscated the output, but here:
>>>
>>> ;; AUTHORITY SECTION:
>>> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070
>>> 1800 900 604800 3600
>>>
>>> this looks like the only domain with is dnsforwardzone, everything else is
>>> dnszone
>>>
>>> parent.xx.xx. - is the only forward
>>> private.my.parent.xx.xx - it is IPA domain & dnszone
>>>
>>> I query private.my.parent.xx.xx and I get response as above.
>>
>> Do you have proper zone delegation from parent zone? NS and A glue records?
> 
> no, I don't have any dealings with "parent" domain, I forward to there so only
> those queries could go directly to NSes instead of to ROOTs.
> I do not really on that "parent" - I call it parent for only
> "logistically/visually" it appears as parent.
>>
>> How your named.conf looks?
> 
> Exactly the same as on the other three servers(IPA generated), I diffed it,
> only these are (respectively) different: fake_mname, sasl_user
> I think that one server simply forwards (to that dnsforwardzone) as if it had
> not any own zones, but why?? Would it be in the LDAP?

Do you have 'forwarders' statement in your named.conf?

If you have it, we might see a situation where LDAP plugin does not
load/connect to LDAP for whatever reason and only the global forwarding works.

Alternatively it might be a problem described in
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.NozonesfromLDAPareloaded

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list