[Freeipa-users] Lookups Failing With AD Forwarder (and DNSSEC)
Jason B. Nance
jason at tresgeek.net
Wed Jan 4 22:40:38 UTC 2017
Hello everyone,
I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set to an Active Directory domain controller. When a client attempts to lookup any DNS record other than those to which FreeIPA is authoritative the client reports NXDOMAIN and the FreeIPA server has the following in its logs:
(first lookup)
Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no valid RRSIG) resolving 'zone/DS/IN': 10.48.8.18#53
Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no valid DS) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 10.48.8.18#53
(subsequent lookups)
Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: validating @0x7f7a40983ea0: sl1mmgpwtdc0001.tkc.gen.zone A: bad cache hit (zone/DS)
Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (broken trust chain) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 10.48.8.18#53
In my case, ipa.tkc.gen.zone is served by FreeIPA and tkc.gen.zone is served by AD (as is gen.zone). 10.48.8.18 is an AD domain controller for tkc.gen.zone (and the forwarder the FreeIPA servers are pointed at).
I've tried "rndc flush" and "rndc flushname ." on the FreeIPA boxes. We've tried both NSEC3 and NSEC.
Anyone have guidance as to what may be going on?
Thanks,
j
More information about the Freeipa-users
mailing list