[Freeipa-users] Lookups Failing With AD Forwarder (and DNSSEC)

[Martin Basti]

On 04.01.2017 23:40, Jason B. Nance wrote:
> Hello everyone,
>
> I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set to an Active Directory domain controller.  When a client attempts to lookup any DNS record other than those to which FreeIPA is authoritative the client reports NXDOMAIN and the FreeIPA server has the following in its logs:
>
> (first lookup)
> Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no valid RRSIG) resolving 'zone/DS/IN': 10.48.8.18#53
> Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no valid DS) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 10.48.8.18#53
>
> (subsequent lookups)
> Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: validating @0x7f7a40983ea0: sl1mmgpwtdc0001.tkc.gen.zone A: bad cache hit (zone/DS)
> Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (broken trust chain) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 10.48.8.18#53
>
> In my case, ipa.tkc.gen.zone is served by FreeIPA and tkc.gen.zone is served by AD (as is gen.zone).  10.48.8.18 is an AD domain controller for tkc.gen.zone (and the forwarder the FreeIPA servers are pointed at).
>
> I've tried "rndc flush" and "rndc flushname ." on the FreeIPA boxes.  We've tried both NSEC3 and NSEC.
>
> Anyone have guidance as to what may be going on?
>
> Thanks,
>
> j
>

Hello,

you use non-existent TLD domain or TLD domain doesn't have DS record of 
your zone, so this is expected behavior for DNSSEC considered as attack. 
You have to disable DNSSEC validation on all IPA DNS servers in 
/etc/named.conf in first case or fix incorrect/missing DS record in 
second case.

The 'zone.' is registered TLD, so if you own it you have probably 
missing DS record in path, thus broken trust chain.
If you don't own the TLD, you shouldn't use it at all.

Martin