<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 24.04.2017 20:22, Dan Dietterich
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:A308D6D9-EF9A-460C-BE3A-C26D7E33AB31@cazena.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Courier;}
span.EmailStyle20
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:4210300;
mso-list-type:hybrid;
mso-list-template-ids:473883950 -209258728 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Calibri;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">I still
think there is something wrong here.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">You say that
the DNSSEC reply is "just warning", but when I get that
warning, a subsequent trust-add fails every time. When I
don't get the warning, the trust-add works.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Therefore,
the warning cannot just be ignored. Why is that?</span></p>
</div>
</blockquote>
If you have disabled DNSSEC validation then the issue is probably
somewhere else in DNS. The check is not 100% reliable, sometimes it
may false positively report DNSSEC issues when there is a different
DNS issue.<br>
<br>
Please try to "dig" AD domain and check if records are correct, also
check if FreeIPA domain is accessible from AD side.<br>
<br>
Also in case of failure please check journalctl -u named-pkcs11 log
on FreeIPA server, there might be additional information.<br>
<br>
<blockquote type="cite"
cite="mid:A308D6D9-EF9A-460C-BE3A-C26D7E33AB31@cazena.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I have tried
the following:<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="font-size:11.0pt"><span style="mso-list:Ignore">-<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt">Signing the target Active Directory
zone – it does not make a difference</span></p>
</div>
</blockquote>
Then there is a different issue than DNSSEC IMO<br>
<br>
<blockquote type="cite"
cite="mid:A308D6D9-EF9A-460C-BE3A-C26D7E33AB31@cazena.com">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="font-size:11.0pt"><span style="mso-list:Ignore">-<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt">FreeIPA /etc/named.conf –
"validation no" makes the warning go away ONLY when I use
the CLI on a root login.</span></p>
</div>
</blockquote>
This check is done on server side, so there is no difference between
CLI/webUI or used user<br>
<br>
<blockquote type="cite"
cite="mid:A308D6D9-EF9A-460C-BE3A-C26D7E33AB31@cazena.com">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="font-size:11.0pt"><span style="mso-list:Ignore">-<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt">Running the ipa CLI from a salt
state or a subprocess of my Java webapp ALWAYS gets the
warning regardless.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">If there
really should be a warning, then why don't I see it from the
CLI?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">And can you
help me understand what would be significantly different
between an interactive login and a "su –l root" in salt?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thank you
for any insight,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span
style="color:black">Dan Dietterich <a class="moz-txt-link-rfc2396E" href="mailto:dan@cazena.com"><dan@cazena.com></a><br>
<b>Date: </b>Wednesday, April 19, 2017 at 9:24 AM<br>
<b>To: </b>Martin Bašti <a class="moz-txt-link-rfc2396E" href="mailto:mbasti@redhat.com"><mbasti@redhat.com></a>,
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a><br>
<b>Subject: </b>Re: [Freeipa-users] DNSSEC warning when
DNSSEC should be disabled<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span
style="color:black">Martin Bašti <a class="moz-txt-link-rfc2396E" href="mailto:mbasti@redhat.com"><mbasti@redhat.com></a><br>
<b>Date: </b>Wednesday, April 19, 2017 at 9:23 AM<br>
<b>To: </b>Dan Dietterich <a class="moz-txt-link-rfc2396E" href="mailto:dan@cazena.com"><dan@cazena.com></a>,
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a><br>
<b>Subject: </b>Re: [Freeipa-users] DNSSEC warning when
DNSSEC should be disabled<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
<p>IPA servers always check if DNSSEC is working on forwarders,
but it is just warning. If you have disabled dnssec in
named.conf then it is okay.<o:p></o:p></p>
<p>I'm not sure why sometimes you see this warning and sometimes
don't, maybe inconsistent replies from forwarder.<o:p></o:p></p>
<p>domain ".internal" should always fail because it is
unregistered TLD<o:p></o:p></p>
<p>Martin<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 19.04.2017 15:11, Dan Dietterich
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt">My
configuration is a single ipa server and both the code
path and the bash prompt path are running on the node that
is also running the ipa server. I thought that since
FreeIPA was installed with --no-dnssec-validation that I
should never see this warning. And I confirmed that both
dnssec-enabled and dnssec-validation are set to 'no' in
the /etc/named.conf.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">So I'm
confused that you say the DNSSEC should always fail.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks for
your help!</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span
style="color:black">Martin Bašti
<a href="mailto:mbasti@redhat.com"
moz-do-not-send="true"><mbasti@redhat.com></a><br>
<b>Date: </b>Wednesday, April 19, 2017 at 3:59 AM<br>
<b>To: </b>Dan Dietterich <a
href="mailto:dan@cazena.com" moz-do-not-send="true"><dan@cazena.com></a>,
<a href="mailto:freeipa-users@redhat.com"
moz-do-not-send="true">
"freeipa-users@redhat.com"</a> <a
href="mailto:freeipa-users@redhat.com"
moz-do-not-send="true"><freeipa-users@redhat.com></a><br>
<b>Subject: </b>Re: [Freeipa-users] DNSSEC warning when
DNSSEC should be disabled</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times
New Roman","serif""> </span><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 13.04.2017 22:50, Dan Dietterich
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt">I am
seeing inconsistent results configuring a DNS forward
zone.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">At a
bash prompt, as root, after kinit admin, I do:</span><o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:Courier">ipa
dnsforwardzone-add domain.internal --forwarder=
ww.xx.yy.zz --forward-policy=only</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">That
works fine and does not warn about DNSSEC.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In a
Java webapp running as root under a Jetty, I run a shell
sub-process and issue the kinit and the same ipa
statement.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">_<i>Sometimes</i>_,
I get </span>
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:Courier">ipa:
WARNING: DNSSEC validation failed: record
'domain.internal. SOA' failed DNSSEC validation on
server ww.xx.yy.zz.</span><o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:Courier">Please
verify your DNSSEC configuration or disable DNSSEC
validation on all IPA servers.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I
modified the /etc/named.conf file to say:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</span><span style="font-size:11.0pt;font-family:Courier">dnssec-enable
no;</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Courier">
dnssec-validation no;</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">and </span><span
style="font-size:11.0pt;font-family:Courier">systemctl
restart ipa</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Any clue
why the results are different?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">ipa
–version: VERSION: 4.4.0, API_VERSION: 2.213</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Linux …
3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks
for any insight!</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dan</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Times
New Roman","serif""><br>
<br>
<br>
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif""><br>
Hello,<br>
<br>
checks are done on IPA server side, how many servers do
you have? Is possible that CLI connects to different
servers.<br>
<br>
However in this case, DNSSEC check should always fail and
report error, so it is weird why it passed.<br>
<br>
Martin<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Martin Bašti<o:p></o:p></pre>
<pre>Software Engineer<o:p></o:p></pre>
<pre>Red Hat Czech<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif""><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Martin Bašti<o:p></o:p></pre>
<pre>Software Engineer<o:p></o:p></pre>
<pre>Red Hat Czech<o:p></o:p></pre>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Martin Bašti
Software Engineer
Red Hat Czech</pre>
</body>
</html>