Is anyone here running FreeIPA on EL8 (a.k.a. RedHat IdM) with DDNS updates enabled from dhcpd, and running that server as their network's recursive resolver? Successfully?
On EL7, this just didn't work for me due to https://bugzilla.redhat.com/show_bug.cgi?id=1409321 and it seems even worse on EL8. The TL;DR: is that if you have DDNS updates coming named-pkcs11 from ISC dhcpd, many (i.e. recursive resolver) queries to named-pkcs11 will frequently, temporarily and intermittently return SERVFAIL. If you stop the DDNS updates from ISC DHCP the recursive resolving behaviour of the server stabilizes and it stops returning SERVFAILs. So, this is just a query to see if anyone is actually running this configuration successfully. If you think you might be successful with this configuration, how many recursive resolvers do you have in your network? If you have more than just the (single) FreeIPA server, it might be that named-pkcs11 on that machine is frequently returning SERVFAIL and that you are just not noticing because your alternate recursive resolvers are masking it. So if you are running in such a configuration with alternate recursive resolvers, it might be interesting to use tcpdump or some such on your FreeIPA server to see if your named-pkcs11 is indeed returning SERVFAIL for many of your queries. Cheers, b.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
