On Срд, 09 жні 2023, Alan Latteri via FreeIPA-users wrote:
OK....but why is this? It is a very clean and standard install of FreeIPA, the domains are added via standard methods in the GUI. Everything but apex domain of the IPA server works totally fine. No reason this should not work. What is the solution to achieve this scenario?
This is not a FreeIPA-specific problem. It is a generic DNS setup issue. DNS server needs to know where to go for NS for a specific zone. Since your NS record uses something BIND cannot resolve because it is loading a parent zone for that NS record's value, it cannot complete its validation of the loaded values. You can imitate the same with a plain BIND setup as well. It will be failing that zone load too. Other DNS server implementations might postpone NS record value validation to a later stage though I doubt it, most do validate static values at a zone load time. If you want IPA to serve the parent zone, use a different name in NS record that belongs to a different DNS zone that is hosted elsewhere. Remember that DNS is hierarchical. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
