TL;Dr: Freeipa's DNS (especially with dnssec enabled) can appear to be
working well and pass accuracy tests, yet generate failures depending on
the client's dns provider's response timeout settings. You can tell
whether you're as 'online as you think you are' using this tool:
https://dnschecker.org/
Freeipa's dns response latency times are near the timeout/give-up bubble
of some of the world largest public / semi-public DNS resolvers. When
'over time', these large companies report the freeipa web sites &
related services do not exist. DNS resolvers in use by those 'near to'
the host generally have better timing generally and so give the
appearance of working.
Without DNSSEC enabled, the packet sizes and processing requirements are
less, so most services on the same continent as the host operate as
expected. Enabling DNSSec adds enough so that even the 'more local' dns
resolvers time out/report error -- and without notice to the freeipa
hosting organization. Cloudflare and Google in North America 'worked'
without dnssec in my case, but failed more often than it worked with
DNSSEC enabled.
I think the problem is the latency involved in the orchestration between
bind9 and dirsrv/ldap. Work arounds include "throwing faster computers
at it" and/or pointing internet NS records at slave resolvers that don't
depend on interprocess communications.
Hope this helps other folks.
Harry Coin
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
