<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hello,<div class=""><br class=""></div><div class="">Found it:</div><div class=""><br class=""></div><div class="">It appears that my forwarder is NOT DNSSEC happy:</div><div class=""><br class=""></div><div class="">in:  /var/named/data/named.run</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(254, 244, 156);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">validating @0x7f2c40044910: . </span><span style="font-variant-ligatures: no-common-ligatures; color: #bc321c" class=""><b class="">DNS</b></span><span style="font-variant-ligatures: no-common-ligatures" class="">KEY: got insecure response; parent indicates it should be secure</span></div></div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(254, 244, 156);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">error (insecurity proof failed) resolving './</span><span style="font-variant-ligatures: no-common-ligatures; color: #bc321c" class=""><b class="">DNS</b></span><span style="font-variant-ligatures: no-common-ligatures" class="">KEY/IN': 10.0.157.35#53</span></div></div><div class=""><br class=""></div><div class="">So, i changed the /etc/named.conf </div><div class=""><br class=""></div><div class="">from:</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(254, 244, 156);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><span class="Apple-tab-span" style="white-space:pre">    </span>dnssec-enable yes;</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(254, 244, 156);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><span class="Apple-tab-span" style="white-space:pre">       </span>dnssec-validation <b class="">yes</b>;</span></div></div><div class=""><br class=""></div><div class="">to:</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(254, 244, 156);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><span class="Apple-tab-span" style="white-space:pre">        </span>dnssec-enable yes;</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(254, 244, 156);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><span class="Apple-tab-span" style="white-space:pre">       </span>dnssec-validation <b class="">no</b>;</span></div></div><div class=""><br class=""></div><div class="">Everything is working fine now.</div><div class=""><br class=""></div><div class="">Thanks for your help!</div><div class="">Nuno</div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On 13 Jun 2016, at 10:14, Nuno Higgs <<a href="mailto:ipa@border.nuneshiggs.com" class="">ipa@border.nuneshiggs.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hello again,<br class=""><br class="">[root@ipa01 ~]# kinit user<br class="">Password for <a href="mailto:user@domain.local" class="">user@DOMAIN.LOCAL</a>:<br class="">[root@ipa01 ~]# ipa dnsforwardzone-show <a href="http://domain.eu" class="">domain.eu</a><br class="">  Zone name: <a href="http://domain.eu" class="">domain.eu</a>.<br class="">  Active zone: TRUE<br class="">  Zone forwarders: 194.65.3.20 195.65.3.21<br class="">  Forward policy: only<br class="">[root@ipa01 ~]#<br class=""><br class=""><br class="">[root@ipa02 ~]# ipa dnsforwardzone-show <a href="http://domain.eu" class="">domain.eu</a><br class="">  Zone name: <a href="http://domain.eu" class="">domain.eu</a>.<br class="">  Active zone: TRUE<br class="">  Zone forwarders: 194.65.3.20 195.65.3.21<br class="">  Forward policy: only<br class="">[root@ipa02 ~]#<br class=""><br class="">On both servers the return is the same.<br class="">I haven't touched the DNS config besides deleting the zone and recreating<br class="">it.<br class=""><br class="">I am at a loss. What can be the issue here?<br class=""><br class="">Thanks,<br class="">Nuno<br class=""><br class=""><br class="">-----Original Message-----<br class="">From: <a href="mailto:freeipa-users-bounces@redhat.com" class="">freeipa-users-bounces@redhat.com</a><br class="">[<a href="mailto:freeipa-users-bounces@redhat.com" class="">mailto:freeipa-users-bounces@redhat.com</a>] On Behalf Of Petr Spacek<br class="">Sent: segunda-feira, 13 de junho de 2016 06:50<br class="">To: <a href="mailto:freeipa-users@redhat.com" class="">freeipa-users@redhat.com</a><br class="">Subject: Re: [Freeipa-users] Error with DNS forwarding on replica.<br class=""><br class="">On 12.6.2016 20:47, Nuno Higgs wrote:<br class=""><blockquote type="cite" class="">Hello all,<br class=""><br class=""><br class=""><br class="">I have a IPA server - IPA 4.2 - and i have added a new IPA to <br class="">geographic replication.<br class=""><br class=""><br class=""><br class="">I have added it as stated in the documentation here:<br class=""><<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu" class="">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu</a><br class="">x/7/ht <br class="">ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-<br class="">replic<br class="">a.html#replica-install-with-dns><br class=""><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux" class="">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux</a><br class="">/7/htm <br class="">l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r<br class="">eplica<br class="">.html#replica-install-with-dns<br class=""><br class=""><br class=""><br class="">All was replicated correctly, and i can do a kinit user@DOMAIN with <br class="">success within the replica.<br class=""><br class="">However there is a problem with the DNS sections:<br class=""><br class=""><br class=""><br class="">Although it DNS is ok, my configuration within IPA on the first server <br class="">regarding DNS zones that are set on forward only are not.<br class=""><br class="">In my first server, i can do a forward of domain - let's say <br class=""><http://domain.eu> domain.eu. On the second server (replica) the <br class="">forward is shown configured correctly within the webgui but it does <br class="">not work, giving a NX error on query  <http://www.domain.eu> <br class="">www.domain.eu (the A Record exists and is shown on the first server). <br class="">It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it<br class=""></blockquote>isn't a network permissions issue.<br class=""><blockquote type="cite" class=""><br class=""><br class=""><br class="">I have deleted the zone on the master (and replica), and recreated it. <br class="">On the first server, it worked fine. On the replica the problem persisted.<br class=""><br class=""><br class=""><br class="">Am I missing anything? Is there a undocumented trick, or have i missed <br class="">something?<br class=""></blockquote><br class="">Hello,<br class=""><br class="">it could be either a DNS configuration problem or a LDAP replication<br class="">problem.<br class=""><br class="">Please show us output from command:<br class="">$ ipa dnsforwardzone-show <a href="http://domain.eu" class="">domain.eu</a><br class="">from all IPA servers you have.<br class=""><br class="">The output should be the same. If it is not the same then you are most<br class="">likely facing an replication problem, please see<br class=""><a href="http://www.freeipa.org/page/Troubleshooting#Replication_issues" class="">http://www.freeipa.org/page/Troubleshooting#Replication_issues</a><br class=""><br class="">--<br class="">Petr^2 Spacek<br class=""><br class="">--<br class="">Manage your subscription for the Freeipa-users mailing list:<br class="">https://www.redhat.com/mailman/listinfo/freeipa-users<br class="">Go to http://freeipa.org for more info on the project<br class=""><br class="">-- <br class="">Manage your subscription for the Freeipa-users mailing list:<br class="">https://www.redhat.com/mailman/listinfo/freeipa-users<br class="">Go to http://freeipa.org for more info on the project<br class=""></div></div></blockquote></div><br class=""></div></body></html>