[Freeipa-users] bind-dyndb-ldap, AXFR and DS records
Ben Roberts
me at benroberts.net
Fri Feb 10 07:42:08 UTC 2017
Hi Martin,
> I'm not sure how your DNS data are structured, but usually (properly)
> DS record is located in parent zone, so AXFR for
> subdomain.exmale.com should not return DS record, but AXFR
> for example.com should return DS record of
> subdomain.example.com.
Herein lies the problem. The nameservers are authoritative for both
the parent and child zones, and both are replicated from the primaries
to the secondary nameserver. The DS glue records for the child zone
contained within the parent zone are not being replicated across to
the secondary via AXFR. Thus there is a complete chain for DNSSEC
trust when queries are directed at the primaries, but not when queries
are directed at the secondary nameserver.
This affects both the DS glue records, and also the apex DS records
which don't need to be present, but which bind-dyndb-ldap makes
available automatically anyway. I raise this not because it's needed,
but it might be relevant to identifying where the root cause is.
Regards,
Ben Roberts
More information about the Freeipa-users
mailing list