<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hello Petr,<div class=""> </div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(254, 244, 156);" class="">[root@slave ~]# cat /var/log/ipareplica-install.log | grep -i DNSSEC | grep -i not | grep -i support</div><div class=""> </div><div class="">It’s empty.</div><div class=""> </div><div class="">Thanks</div><div class="">Nuno</div><div class=""> </div><div style=""><blockquote type="cite" class=""><div class="">On 15 Jun 2016, at 07:45, Petr Spacek <<a href="mailto:pspacek@redhat.com" class="">pspacek@redhat.com</a>> wrote:</div> <div class=""><div class="">On 14.6.2016 17:29, Nuno Higgs wrote: <blockquote type="cite" class="">Hello, I am running CentOS7: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 I configured my dos forward when i did the install process of the secondary node of IPA: [root@slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg </blockquote> Interesting, 4.2.0 should checks to detect this problem. Could you check /var/log/ipareplica-install.log for warnings related to DNSSEC? It should be something like "DNS server <IP address> does not support DNSSEC" Thanks. Petr^2 Spacek <blockquote type="cite" class=""> Thanks, Nuno <blockquote type="cite" class="">On 14 Jun 2016, at 15:28, Petr Spacek <<a href="mailto:pspacek@redhat.com" class="">pspacek@redhat.com</a>> wrote: On 14.6.2016 13:01, Nuno Higgs wrote: <blockquote type="cite" class="">Hello, Found it: It appears that my forwarder is NOT DNSSEC happy: in: /var/named/data/named.run validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 So, i changed the /etc/named.conf from: dnssec-enable yes; dnssec-validation yes; to: dnssec-enable yes; dnssec-validation no; Everything is working fine now. </blockquote> Okay, it explains a lot. Please note that configuration "dnssec-validation no;" lowers security bar for attackers and is strongly discouraged! The issue is most likely caused by non-compliant forwarder which mangles DNS data somehow before they reach your IPA DNS server. I would recommend you to check DNS forwarder on 10.0.157.35 and see it is configured with its equivalent of "dnssec-enable yes;". I strongly recommend returning back to "dnssec-validation yes;" after fixing the forwarder config. IPA 4.3 or newer should print a warning about such broken forwarders whenever you try to configure them using IPA commands. What version of IPA do you use? How did you configure the forwarder in IPA? Petr^2 Spacek <blockquote type="cite" class=""> Thanks for your help! Nuno <blockquote type="cite" class="">On 13 Jun 2016, at 10:14, Nuno Higgs <<a href="mailto:ipa@border.nuneshiggs.com" class="">ipa@border.nuneshiggs.com</a>> wrote: Hello again, [root@ipa01 ~]# kinit user Password for <a href="mailto:user@domain.local" class="">user@DOMAIN.LOCAL</a>: [root@ipa01 ~]# ipa dnsforwardzone-show <a href="http://domain.eu" class="">domain.eu</a> Zone name: <a href="http://domain.eu" class="">domain.eu</a>. Active zone: TRUE Zone forwarders: 194.65.3.20 195.65.3.21 Forward policy: only [root@ipa01 ~]# [root@ipa02 ~]# ipa dnsforwardzone-show <a href="http://domain.eu" class="">domain.eu</a> Zone name: <a href="http://domain.eu" class="">domain.eu</a>. Active zone: TRUE Zone forwarders: 194.65.3.20 195.65.3.21 Forward policy: only [root@ipa02 ~]# On both servers the return is the same. I haven't touched the DNS config besides deleting the zone and recreating it. I am at a loss. What can be the issue here? Thanks, Nuno -----Original Message----- From: <a href="mailto:freeipa-users-bounces@redhat.com" class="">freeipa-users-bounces@redhat.com</a> [<a href="mailto:freeipa-users-bounces@redhat.com" class="">mailto:freeipa-users-bounces@redhat.com</a>] On Behalf Of Petr Spacek Sent: segunda-feira, 13 de junho de 2016 06:50 To: <a href="mailto:freeipa-users@redhat.com" class="">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. On 12.6.2016 20:47, Nuno Higgs wrote: <blockquote type="cite" class="">Hello all, I have a IPA server - IPA 4.2 - and i have added a new IPA to geographic replication. I have added it as stated in the documentation here: <<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu" class="">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu</a> x/7/ht ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- replic a.html#replica-install-with-dns> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux" class="">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux</a> /7/htm l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r eplica .html#replica-install-with-dns All was replicated correctly, and i can do a kinit user@DOMAIN with success within the replica. However there is a problem with the DNS sections: Although it DNS is ok, my configuration within IPA on the first server regarding DNS zones that are set on forward only are not. In my first server, i can do a forward of domain - let's say <http://domain.eu> domain.eu. On the second server (replica) the forward is shown configured correctly within the webgui but it does not work, giving a NX error on query <http://www.domain.eu> www.domain.eu (the A Record exists and is shown on the first server). It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it </blockquote>isn't a network permissions issue. <blockquote type="cite" class=""> I have deleted the zone on the master (and replica), and recreated it. On the first server, it worked fine. On the replica the problem persisted. Am I missing anything? Is there a undocumented trick, or have i missed something? </blockquote> Hello, it could be either a DNS configuration problem or a LDAP replication problem. Please show us output from command: $ ipa dnsforwardzone-show <a href="http://domain.eu" class="">domain.eu</a> from all IPA servers you have. The output should be the same. If it is not the same then you are most likely facing an replication problem, please see <a href="http://www.freeipa.org/page/Troubleshooting#Replication_issues" class="">http://www.freeipa.org/page/Troubleshooting#Replication_issues</a> -- Petr^2 Spacek </blockquote></blockquote></blockquote> </blockquote> -- Petr Spacek @ Red Hat </div></div></blockquote></div> </div></body></html>