[Freeipa-users] DNSSEC warning when DNSSEC should be disabled

Martin Bašti mbasti at redhat.com
Tue Apr 25 07:44:34 UTC 2017 


On 24.04.2017 20:22, Dan Dietterich wrote:
>
> I still think there is something wrong here.
>
> You say that the DNSSEC reply is "just warning", but when I get that 
> warning, a subsequent trust-add fails every time. When I don't get the 
> warning, the trust-add works.
>
> Therefore, the warning cannot just be ignored. Why is that?
>
If you have disabled DNSSEC validation then the issue is probably 
somewhere else in DNS. The check is not 100% reliable, sometimes it may 
false positively report DNSSEC issues when there is a different DNS issue.

Please try to "dig" AD domain and check if records are correct, also 
check if FreeIPA domain is accessible from AD side.

Also in case of failure please check journalctl -u named-pkcs11 log on 
FreeIPA server, there might be additional information.

> I have tried the following:
>
> -Signing the target Active Directory zone – it does not make a difference
>
Then there is a different issue than DNSSEC IMO

> -FreeIPA /etc/named.conf – "validation no" makes the warning go away 
> ONLY when I use the CLI on a root login.
>
This check is done on server side, so there is no difference between 
CLI/webUI or used user

> -Running the ipa CLI from a salt state or a subprocess of my Java 
> webapp ALWAYS gets the warning regardless.
>
> If there really should be a warning, then why don't I see it from the CLI?
>
> And can you help me understand what would be significantly different 
> between an interactive login and a "su –l root" in salt?
>
> Thank you for any insight,
>
> Dan
>
> *From: *Dan Dietterich <dan at cazena.com>
> *Date: *Wednesday, April 19, 2017 at 9:24 AM
> *To: *Martin Bašti <mbasti at redhat.com>, "freeipa-users at redhat.com" 
> <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] DNSSEC warning when DNSSEC should be 
> disabled
>
> *From: *Martin Bašti <mbasti at redhat.com>
> *Date: *Wednesday, April 19, 2017 at 9:23 AM
> *To: *Dan Dietterich <dan at cazena.com>, "freeipa-users at redhat.com" 
> <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] DNSSEC warning when DNSSEC should be 
> disabled
>
> IPA servers always check if DNSSEC is working on forwarders, but it is 
> just warning. If you have disabled  dnssec in named.conf then it is okay.
>
> I'm not sure why sometimes you see this warning and sometimes don't, 
> maybe inconsistent replies from forwarder.
>
> domain ".internal" should always fail because it is unregistered TLD
>
> Martin
>
> On 19.04.2017 15:11, Dan Dietterich wrote:
>
>     My configuration is a single ipa server and both the code path and
>     the bash prompt path are running on the node that is also running
>     the ipa server. I thought that since FreeIPA was installed with
>     --no-dnssec-validation that I should never see this warning. And I
>     confirmed that both dnssec-enabled and dnssec-validation are set
>     to 'no' in the /etc/named.conf.
>
>     So I'm confused that you say the DNSSEC should always fail.
>
>     Thanks for your help!
>
>     *From: *Martin Bašti <mbasti at redhat.com> <mailto:mbasti at redhat.com>
>     *Date: *Wednesday, April 19, 2017 at 3:59 AM
>     *To: *Dan Dietterich <dan at cazena.com> <mailto:dan at cazena.com>,
>     "freeipa-users at redhat.com" <mailto:freeipa-users at redhat.com>
>     <freeipa-users at redhat.com> <mailto:freeipa-users at redhat.com>
>     *Subject: *Re: [Freeipa-users] DNSSEC warning when DNSSEC should
>     be disabled
>
>     On 13.04.2017 22:50, Dan Dietterich wrote:
>
>         I am seeing inconsistent results configuring a DNS forward zone.
>
>         At a bash prompt, as root, after kinit admin, I do:
>
>         ipa dnsforwardzone-add domain.internal  --forwarder=
>         ww.xx.yy.zz --forward-policy=only
>
>         That works fine and does not warn about DNSSEC.
>
>         In a Java webapp running as root under a Jetty, I run a shell
>         sub-process and issue the kinit and the same ipa statement.
>
>         _/Sometimes/_, I get
>
>         ipa: WARNING: DNSSEC validation failed: record
>         'domain.internal. SOA' failed DNSSEC validation on server
>         ww.xx.yy.zz.
>
>         Please verify your DNSSEC configuration or disable DNSSEC
>         validation on all IPA servers.
>
>         I modified the /etc/named.conf file to say:
>
>         dnssec-enable no;
>
>         dnssec-validation no;
>
>         and systemctl restart ipa
>
>         Any clue why the results are different?
>
>         ipa –version: VERSION: 4.4.0, API_VERSION: 2.213
>
>         Linux … 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05
>         UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>         Thanks for any insight!
>
>         Regards,
>
>         Dan
>
>
>
>
>
>     Hello,
>
>     checks are done on IPA server side, how many servers do you have?
>     Is possible that CLI connects to different servers.
>
>     However in this case, DNSSEC check should always fail and report
>     error, so it is weird why it passed.
>
>     Martin
>
>
>     -- 
>
>     Martin Bašti
>
>     Software Engineer
>
>     Red Hat Czech
>
>
>
> -- 
> Martin Bašti
> Software Engineer
> Red Hat Czech

-- 
Martin Bašti
Software Engineer
Red Hat Czech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170425/e32ec1c4/attachment.htm>

More information about the Freeipa-users mailing list