On 14.6.2016 17:29, Nuno Higgs wrote: > Hello, > > I am running CentOS7: > > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > I configured my dos forward when i did the install process of the secondary > node of IPA: > > [root@slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder > 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg
Interesting, 4.2.0 should checks to detect this problem. Could you check /var/log/ipareplica-install.log for warnings related to DNSSEC? It should be something like "DNS server <IP address> does not support DNSSEC" Thanks. Petr^2 Spacek > > Thanks, > Nuno > >> On 14 Jun 2016, at 15:28, Petr Spacek <[email protected]> wrote: >> >> On 14.6.2016 13:01, Nuno Higgs wrote: >>> Hello, >>> >>> Found it: >>> >>> It appears that my forwarder is NOT DNSSEC happy: >>> >>> in: /var/named/data/named.run >>> >>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent >>> indicates it should be secure >>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 >>> >>> So, i changed the /etc/named.conf >>> >>> from: >>> >>> dnssec-enable yes; >>> dnssec-validation yes; >>> >>> to: >>> >>> dnssec-enable yes; >>> dnssec-validation no; >>> >>> Everything is working fine now. >> >> Okay, it explains a lot. >> >> Please note that configuration "dnssec-validation no;" lowers security bar >> for >> attackers and is strongly discouraged! >> >> The issue is most likely caused by non-compliant forwarder which mangles DNS >> data somehow before they reach your IPA DNS server. >> >> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is >> configured with its equivalent of "dnssec-enable yes;". I strongly recommend >> returning back to "dnssec-validation yes;" after fixing the forwarder config. >> >> IPA 4.3 or newer should print a warning about such broken forwarders whenever >> you try to configure them using IPA commands. >> >> What version of IPA do you use? >> >> How did you configure the forwarder in IPA? >> >> Petr^2 Spacek >> >>> >>> Thanks for your help! >>> Nuno >>> >>>> On 13 Jun 2016, at 10:14, Nuno Higgs <[email protected]> wrote: >>>> >>>> Hello again, >>>> >>>> [root@ipa01 ~]# kinit user >>>> Password for [email protected]: >>>> [root@ipa01 ~]# ipa dnsforwardzone-show domain.eu >>>> Zone name: domain.eu. >>>> Active zone: TRUE >>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>> Forward policy: only >>>> [root@ipa01 ~]# >>>> >>>> >>>> [root@ipa02 ~]# ipa dnsforwardzone-show domain.eu >>>> Zone name: domain.eu. >>>> Active zone: TRUE >>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>> Forward policy: only >>>> [root@ipa02 ~]# >>>> >>>> On both servers the return is the same. >>>> I haven't touched the DNS config besides deleting the zone and recreating >>>> it. >>>> >>>> I am at a loss. What can be the issue here? >>>> >>>> Thanks, >>>> Nuno >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Petr Spacek >>>> Sent: segunda-feira, 13 de junho de 2016 06:50 >>>> To: [email protected] >>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. >>>> >>>> On 12.6.2016 20:47, Nuno Higgs wrote: >>>>> Hello all, >>>>> >>>>> >>>>> >>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to >>>>> geographic replication. >>>>> >>>>> >>>>> >>>>> I have added it as stated in the documentation here: >>>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu >>>>> x/7/ht >>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >>>>> replic >>>>> a.html#replica-install-with-dns> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >>>>> /7/htm >>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >>>>> eplica >>>>> .html#replica-install-with-dns >>>>> >>>>> >>>>> >>>>> All was replicated correctly, and i can do a kinit user@DOMAIN with >>>>> success within the replica. >>>>> >>>>> However there is a problem with the DNS sections: >>>>> >>>>> >>>>> >>>>> Although it DNS is ok, my configuration within IPA on the first server >>>>> regarding DNS zones that are set on forward only are not. >>>>> >>>>> In my first server, i can do a forward of domain - let's say >>>>> <http://domain.eu> domain.eu. On the second server (replica) the >>>>> forward is shown configured correctly within the webgui but it does >>>>> not work, giving a NX error on query <http://www.domain.eu> >>>>> www.domain.eu (the A Record exists and is shown on the first server). >>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it >>>> isn't a network permissions issue. >>>>> >>>>> >>>>> >>>>> I have deleted the zone on the master (and replica), and recreated it. >>>>> On the first server, it worked fine. On the replica the problem persisted. >>>>> >>>>> >>>>> >>>>> Am I missing anything? Is there a undocumented trick, or have i missed >>>>> something? >>>> >>>> Hello, >>>> >>>> it could be either a DNS configuration problem or a LDAP replication >>>> problem. >>>> >>>> Please show us output from command: >>>> $ ipa dnsforwardzone-show domain.eu >>>> from all IPA servers you have. >>>> >>>> The output should be the same. If it is not the same then you are most >>>> likely facing an replication problem, please see >>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues >>>> >>>> -- >>>> Petr^2 Spacek > > -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
