[Freeipa-users] DNSSEC warning when DNSSEC should be disabled
Martin Bašti
mbasti at redhat.com
Wed Apr 19 07:59:54 UTC 2017
On 13.04.2017 22:50, Dan Dietterich wrote:
>
> I am seeing inconsistent results configuring a DNS forward zone.
>
> At a bash prompt, as root, after kinit admin, I do:
>
> ipa dnsforwardzone-add domain.internal --forwarder= ww.xx.yy.zz
> --forward-policy=only
>
> That works fine and does not warn about DNSSEC.
>
> In a Java webapp running as root under a Jetty, I run a shell
> sub-process and issue the kinit and the same ipa statement.
>
> _/Sometimes/_, I get
>
> ipa: WARNING: DNSSEC validation failed: record 'domain.internal. SOA'
> failed DNSSEC validation on server ww.xx.yy.zz.
>
> Please verify your DNSSEC configuration or disable DNSSEC validation
> on all IPA servers.
>
> I modified the /etc/named.conf file to say:
>
> dnssec-enable no;
>
> dnssec-validation no;
>
> and systemctl restart ipa
>
> Any clue why the results are different?
>
> ipa –version: VERSION: 4.4.0, API_VERSION: 2.213
>
> Linux … 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017
> x86_64 x86_64 x86_64 GNU/Linux
>
> Thanks for any insight!
>
> Regards,
>
> Dan
>
>
>
Hello,
checks are done on IPA server side, how many servers do you have? Is
possible that CLI connects to different servers.
However in this case, DNSSEC check should always fail and report error,
so it is weird why it passed.
Martin
--
Martin Bašti
Software Engineer
Red Hat Czech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170419/0e61c8f5/attachment.htm>
More information about the Freeipa-users
mailing list