On 21.6.2016 15:03, [email protected] wrote: > Solution found (or, if not, a workaround): > IPA replicas must be named in the root domain/zone and not in a subdomain, > else DNS fails to serve records in the root domain. Once we changed our > configuration to reflect this, DNS returned to normal.
This is most likely a workaround for some sort of misconfiguration, FreeIPA itself does not require anything like that. Petr^2 Spacek > From: <[email protected]> on behalf of Daniel Finkestein > <[email protected]> > Date: Tuesday, June 21, 2016 at 07:21 > To: "[email protected]" <[email protected]> > Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the > top-level domain/zone > > Hi Petr, > > Top level means the root zone of the various DNS trees we serve. For example, > h5g.com would be the root and dev.h5g.com, test.h5g.com, etc., would be the > subdomains. Our subdomains query fine, but any hosts in the root domain no > longer resolve. > > An example of an unresolvable name is IPA itself: ipa.h5g.com. Here's output > from dig: > > root@ipa ~]# dig ipa.h5g.com > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> ipa.h5g.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52405 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;ipa.h5g.com. IN A > > ;; Query time: 0 msec > ;; SERVER: 10.55.10.31#53(10.55.10.31) > ;; WHEN: Tue Jun 21 07:15:14 EDT 2016 > ;; MSG SIZE rcvd: 42 > > We expect that its IP address returns from dig, but it doesn't. > > We have 100 zones defined, including forward and reverse zones — all active. > > We do use DNS forwarding, but in a very unsophisticated way: we set up the > forwarders to go to Google if our DNS can't resolve a name. > > Thanks and regards, > Dan > > [cid:[email protected]]<http://www.high5games.com/> > Daniel Alex Finkelstein| Lead Dev Ops Engineer > [email protected]<mailto:[email protected]> | 212.604.3447 > One World Trade Center, New York, NY 10007 > www.high5games.com<http://www.high5games.com/> > Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the > Sky<https://apps.facebook.com/shakethesky/> > Follow us on: Facebook<http://www.facebook.com/high5games>, > Twitter<https://twitter.com/High5Games>, > YouTube<http://www.youtube.com/High5Games>, > Linkedin<http://www.linkedin.com/company/1072533?trk=tyah> > > This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender by > return email, and delete or destroy this and all copies of this message and > all attachments. Any unauthorized disclosure, use, distribution, or > reproduction of this message or any attachments is prohibited and may be > unlawful. > > From: <[email protected]> on behalf of Petr Spacek > <[email protected]> > Organization: Red Hat > Date: Tuesday, June 21, 2016 at 06:04 > To: "[email protected]" <[email protected]> > Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the > top-level domain/zone > > On 21.6.2016 11:23, > [email protected]<mailto:[email protected]> wrote: > We've recently set up a "clean" install of FreeIPA replete with replicas, but > we just noticed an odd behavior in the DNS service: hosts in the top level > domain (like ipa.example.com) do not resolve, whereas hosts in subdomains > (like ipa.dev.example.com) do. I'm not sure what to look for in the various > log files but I don't see any obvious errors. I thought perhaps this might > have some guidance > https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and > maybe it does, but I'm not sure how to rescue my top-level domain names. > > Hi, > > we can certainly debug this but first of all, please clarify what 'top-level' > means. > > If you really want help please do not obfuscate any DNS names. It often hides > real problems while not improving security in any way. (BTW you do not need to > hide domain names like 'NY5-EXMB1.High5.local' because these already leaked > through e-mail headers :-) > > So, here are the important questions: > 0) What name is unresolvable? > $ dig the.problematic.name.example. > > 1) What is the expected result from "dig"? > > 2) What DNS zones are configured in IPA? > $ ipa dnszone-find > > 3) Do you use DNS forwarding? (--forwarders option during IPA install or > commands ipa dnsforwardzone-*, ipa dnsconfig-mod etc.) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
