<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 22/04/15 18:40, Cory Carlton wrote:<br> </div> <blockquote cite="mid:CAC3PCAJOfTbbakXP=F_vdPDUf_vNpyhwB07C879jHpS1aCUV1g@mail.gmail.com" type="cite"> <div dir="ltr">Hey all, <div><br> </div> <div>I for some reason do not ever get responses from doing DNS lookups to my new servers that have been stood up and replicated as Masters with CA, and DNS options entered at command line.</div> <div><br> </div> <div>Is there any trick or configuration to allow anonymous for my servers without IPA Client installed to talk to these?</div> <div><br> </div> <div>it does not allow lookups,</div> <div>Ip-tables have even been turned off for testing.</div> <div>telnet to server via 53 Works</div> <div> Stand alone IPA server LDAP DNS Kerberose usages</div> <div><br> </div> <div><br> </div> <div> [root@DOMAIN ~]# ipa dnsconfig-show --rights --all --raw</div> <div>---------------------------------</div> <div>Global DNS configuration is empty</div> <div>---------------------------------</div> <div> dn: cn=dns,dc=int,dc=DOMAIN,dc=com</div> <div> aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = <a class="moz-txt-link-rfc2396E" href="ldap:///cn=ReadDNSEntries,cn=permissions,cn=pbac,dc=int,dc=DOMAIN,dc=com">"ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,dc=int,dc=DOMAIN,dc=com"</a> or userattr = "parent[0,1].managedby#GROUPDN";)</div> <div> aci: (target = <a class="moz-txt-link-rfc2396E" href="ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com">"ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com"</a>)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)</div> <div> aci: (target = <a class="moz-txt-link-rfc2396E" href="ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com">"ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com"</a>)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)</div> <div> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = <a class="moz-txt-link-rfc2396E" href="ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com">"ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com"</a>)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)</div> <div> attributelevelrights: {'cn': u'rscwo', 'idnsforwardpolicy': u'rscwo', 'objectclass': u'rscwo', 'idnsallowsyncptr': u'rscwo', 'idnsforwarders': u'rscwo', 'idnspersistentsearch': u'rscwo', 'idnszonerefresh': u'rscwo', 'aci': u'rscwo', 'nsaccountlock': u'rscwo'}</div> <div> cn: dns</div> <div> objectclass: idnsConfigObject</div> <div> objectclass: nsContainer</div> <div> objectclass: top</div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> Hello,<br> Can you share more details please?<br> <br> What is your IPA version?<br> What is your zone, how do you test it (dig/host command?), output from these commands.<br> Do you have any errors in named log on replicas? journalctl -u named or journalctl -u named-pkcs11 (depends on IPA version)<br> Is /etc/resolv.conf configured properly on client?<br> What kind of anonymous connections do you mind to DNS server? Standard DNS queries? nsupdate?<br> <br> Martin<br> <pre class="moz-signature" cols="72">-- Martin Basti</pre> </body> </html>