Hello, I am running CentOS7:
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 I configured my dos forward when i did the install process of the secondary node of IPA: [root@slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg Thanks, Nuno > On 14 Jun 2016, at 15:28, Petr Spacek <[email protected]> wrote: > > On 14.6.2016 13:01, Nuno Higgs wrote: >> Hello, >> >> Found it: >> >> It appears that my forwarder is NOT DNSSEC happy: >> >> in: /var/named/data/named.run >> >> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent >> indicates it should be secure >> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 >> >> So, i changed the /etc/named.conf >> >> from: >> >> dnssec-enable yes; >> dnssec-validation yes; >> >> to: >> >> dnssec-enable yes; >> dnssec-validation no; >> >> Everything is working fine now. > > Okay, it explains a lot. > > Please note that configuration "dnssec-validation no;" lowers security bar for > attackers and is strongly discouraged! > > The issue is most likely caused by non-compliant forwarder which mangles DNS > data somehow before they reach your IPA DNS server. > > I would recommend you to check DNS forwarder on 10.0.157.35 and see it is > configured with its equivalent of "dnssec-enable yes;". I strongly recommend > returning back to "dnssec-validation yes;" after fixing the forwarder config. > > IPA 4.3 or newer should print a warning about such broken forwarders whenever > you try to configure them using IPA commands. > > What version of IPA do you use? > > How did you configure the forwarder in IPA? > > Petr^2 Spacek > >> >> Thanks for your help! >> Nuno >> >>> On 13 Jun 2016, at 10:14, Nuno Higgs <[email protected]> wrote: >>> >>> Hello again, >>> >>> [root@ipa01 ~]# kinit user >>> Password for [email protected]: >>> [root@ipa01 ~]# ipa dnsforwardzone-show domain.eu >>> Zone name: domain.eu. >>> Active zone: TRUE >>> Zone forwarders: 194.65.3.20 195.65.3.21 >>> Forward policy: only >>> [root@ipa01 ~]# >>> >>> >>> [root@ipa02 ~]# ipa dnsforwardzone-show domain.eu >>> Zone name: domain.eu. >>> Active zone: TRUE >>> Zone forwarders: 194.65.3.20 195.65.3.21 >>> Forward policy: only >>> [root@ipa02 ~]# >>> >>> On both servers the return is the same. >>> I haven't touched the DNS config besides deleting the zone and recreating >>> it. >>> >>> I am at a loss. What can be the issue here? >>> >>> Thanks, >>> Nuno >>> >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Petr Spacek >>> Sent: segunda-feira, 13 de junho de 2016 06:50 >>> To: [email protected] >>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. >>> >>> On 12.6.2016 20:47, Nuno Higgs wrote: >>>> Hello all, >>>> >>>> >>>> >>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to >>>> geographic replication. >>>> >>>> >>>> >>>> I have added it as stated in the documentation here: >>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu >>>> x/7/ht >>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >>>> replic >>>> a.html#replica-install-with-dns> >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >>>> /7/htm >>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >>>> eplica >>>> .html#replica-install-with-dns >>>> >>>> >>>> >>>> All was replicated correctly, and i can do a kinit user@DOMAIN with >>>> success within the replica. >>>> >>>> However there is a problem with the DNS sections: >>>> >>>> >>>> >>>> Although it DNS is ok, my configuration within IPA on the first server >>>> regarding DNS zones that are set on forward only are not. >>>> >>>> In my first server, i can do a forward of domain - let's say >>>> <http://domain.eu> domain.eu. On the second server (replica) the >>>> forward is shown configured correctly within the webgui but it does >>>> not work, giving a NX error on query <http://www.domain.eu> >>>> www.domain.eu (the A Record exists and is shown on the first server). >>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it >>> isn't a network permissions issue. >>>> >>>> >>>> >>>> I have deleted the zone on the master (and replica), and recreated it. >>>> On the first server, it worked fine. On the replica the problem persisted. >>>> >>>> >>>> >>>> Am I missing anything? Is there a undocumented trick, or have i missed >>>> something? >>> >>> Hello, >>> >>> it could be either a DNS configuration problem or a LDAP replication >>> problem. >>> >>> Please show us output from command: >>> $ ipa dnsforwardzone-show domain.eu >>> from all IPA servers you have. >>> >>> The output should be the same. If it is not the same then you are most >>> likely facing an replication problem, please see >>> http://www.freeipa.org/page/Troubleshooting#Replication_issues >>> >>> -- >>> Petr^2 Spacek
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
