On Fri, Jul 31, 2020 at 5:49 AM Stanislav Levin via FreeIPA-users < [email protected]> wrote:
> > > 31.07.2020 2:03, Christian Hernandez via FreeIPA-users пишет: > > I'm having an issue delegating a subdomain. My domain is cloud.chx and I > > ran the following. > > > > ipa dnsrecord-add cloud.chx dc1.ad --a-rec=192.168.1.253 > > ipa dnsrecord-add 1.168.192.in-addr.arpa. 253 --ptr-rec=dc1.ad.cloud.chx. > > ipa dnsrecord-add cloud.chx ad --ns-rec=dc1.ad.cloud.chx. > > > > > > I checked and it's in the config > > > > [root@ipa1 ~]# dig axfr cloud.chx | grep ad > > ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. > > dc1.ad.cloud.chx. 86400 IN A 192.168.1.253 > > > > > > But when I query, it doesn't return what I expected. > > > > [root@ipa1 ~]# dig dc1.ad.cloud.chx NS > > > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15346 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;dc1.ad.cloud.chx. IN NS > > > > ;; Query time: 27 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Thu Jul 30 15:48:03 PDT 2020 > > ;; MSG SIZE rcvd: 45 > > > > > > The other DNS server is up and running. > > > > [root@ipa1 ~]# dig @192.168.1.253 dc1.ad.cloud.chx > > > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @192.168.1.253 > > dc1.ad.cloud.chx > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64777 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4000 > > ;; QUESTION SECTION: > > ;dc1.ad.cloud.chx. IN A > > > > ;; ANSWER SECTION: > > dc1.ad.cloud.chx. 3600 IN A 192.168.1.253 > > > > ;; Query time: 1 msec > > ;; SERVER: 192.168.1.253#53(192.168.1.253) > > ;; WHEN: Thu Jul 30 15:59:21 PDT 2020 > > ;; MSG SIZE rcvd: 61 > > > > > > This is worth noting that adding +norec works. > > > > [root@ipa1 ~]# dig dc1.ad.cloud.chx NS +norec > > > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS > > +norec > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36273 > > ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;dc1.ad.cloud.chx. IN NS > > > > ;; AUTHORITY SECTION: > > ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. > > > > ;; ADDITIONAL SECTION: > > dc1.ad.cloud.chx. 86400 IN A 192.168.1.253 > > > > ;; Query time: 0 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Thu Jul 30 15:59:39 PDT 2020 > > ;; MSG SIZE rcvd: 75 > > > > Is there anything I'm missing? > > Do you have the validating resolver(DNSSEC-aware recursive server) > listening on 127.0.0.1#53? And if Yes then do you have DS RRs in the > parent zone for the delegated one? > I see no DNSSEC error in my logs. Just some errors when I ran ipactl restart a few times... [root@ipa1 ~]# egrep -i 'error|dc1' /var/named/data/named.run 29-Jul-2020 12:45:24.569 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 14:04:22.667 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 15:12:33.778 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 15:15:35.740 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 15:17:22.125 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 17:54:19.335 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 17:55:00.649 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 18:37:27.418 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed I do see these, but I don't think they're related. [root@ipa1 ~]# grep 192.168.1.253 /var/named/data/named.run 30-Jul-2020 14:34:00.480 client @0x7f2cd81cada0 192.168.1.253#59899: update 'cloud.chx/IN' denied 30-Jul-2020 14:34:00.702 client @0x7f2cb030acc0 192.168.1.253#50606: update 'cloud.chx/IN' denied 30-Jul-2020 14:37:18.666 client @0x7f2cd80559a0 192.168.1.253#62071: update 'cloud.chx/IN' denied 30-Jul-2020 14:37:41.334 client @0x7f2cb030acc0 192.168.1.253#58363: update 'cloud.chx/IN' denied 30-Jul-2020 15:38:49.112 client @0x7ff2741cada0 192.168.1.253#49900: update '1.168.192.in-addr.arpa/IN' denied 30-Jul-2020 20:13:16.706 client @0x7f64f044a9a0 192.168.1.253#51960: update '1.168.192.in-addr.arpa/IN' den The error I'm getting is NXDOMAIN [root@ipa1 ~]# dig @localhost dc1.ad.cloud.chx ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @localhost dc1.ad.cloud.chx ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63161 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN A ;; Query time: 17 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri Jul 31 07:05:40 PDT 2020 ;; MSG SIZE rcvd: 45 The glue records are in [root@ipa1 ~]# dig @localhost AXFR cloud.chx | grep dc1 ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. dc1.ad.cloud.chx. 86400 IN A 192.168.1.253 > > https://www.isc.org/dnssec/ > https://downloads.isc.org/isc/dnssec-guide/dnssec-guide.pdf > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
