Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled

Wed, 19 Apr 2017 06:24:26 -0700

IPA servers always check if DNSSEC is working on forwarders, but it is just warning. If you have disabled dnssec in named.conf then it is okay.
I'm not sure why sometimes you see this warning and sometimes don't, maybe inconsistent replies from forwarder. 

domain ".internal" should always fail because it is unregistered TLD

Martin


On 19.04.2017 15:11, Dan Dietterich wrote:



My configuration is a single ipa server and both the code path and the 
bash prompt path are running on the node that is also running the ipa 
server. I thought that since FreeIPA was installed with 
--no-dnssec-validation that I should never see this warning. And I 
confirmed that both dnssec-enabled and dnssec-validation are set to 
'no' in the /etc/named.conf.


So I'm confused that you say the DNSSEC should always fail.

Thanks for your help!

*From: *Martin Bašti <[email protected]>
*Date: *Wednesday, April 19, 2017 at 3:59 AM

*To: *Dan Dietterich <[email protected]>, "[email protected]" 
<[email protected]>
*Subject: *Re: [Freeipa-users] DNSSEC warning when DNSSEC should be 
disabled


On 13.04.2017 22:50, Dan Dietterich wrote:

    I am seeing inconsistent results configuring a DNS forward zone.

    At a bash prompt, as root, after kinit admin, I do:

    ipa dnsforwardzone-add domain.internal  --forwarder= ww.xx.yy.zz
    --forward-policy=only

    That works fine and does not warn about DNSSEC.

    In a Java webapp running as root under a Jetty, I run a shell
    sub-process and issue the kinit and the same ipa statement.

    _/Sometimes/_, I get

    ipa: WARNING: DNSSEC validation failed: record 'domain.internal.
    SOA' failed DNSSEC validation on server ww.xx.yy.zz.

    Please verify your DNSSEC configuration or disable DNSSEC
    validation on all IPA servers.

    I modified the /etc/named.conf file to say:

    dnssec-enable no;

    dnssec-validation no;

    and systemctl restart ipa

    Any clue why the results are different?

    ipa –version: VERSION: 4.4.0, API_VERSION: 2.213

    Linux … 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC
    2017 x86_64 x86_64 x86_64 GNU/Linux

    Thanks for any insight!

    Regards,

    Dan




Hello,


checks are done on IPA server side, how many servers do you have? Is 
possible that CLI connects to different servers.



However in this case, DNSSEC check should always fail and report 
error, so it is weird why it passed.


Martin

--
Martin Bašti
Software Engineer
Red Hat Czech


--
Martin Bašti
Software Engineer
Red Hat Czech


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to