I recently had a server that didn't get added to DNS but was joined to FreeIPA system. I just went backto fix it. I tried removing the host rebooting and re-adding it to the FreeIPA system. After doing this new DNS records did not get added. I went back to manually add the DNS records (A,SSHFP) and was successful however when I try to ssh to the server I get this: [andrew.meyer@jump01 ~]$ ssh pihole01.loc.example.com sss_ssh_knownhostsproxy: Could not resolve hostname pihole01.loc.example.com kex_exchange_identification: Connection closed by remote host [andrew.meyer@jump01 ~]$
But when I try to run a dig against the records added none of the them come back. [andrew.meyer@jump01 ~]$ dig pihole01.loc.example.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> pihole01.loc.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2980 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 05879881b6a519f543d896f85ecd7e4235ba486f22821495 (good) ;; QUESTION SECTION: ;pihole01.loc.example.com. IN A ;; AUTHORITY SECTION: loc.example.com. 3600 IN SOA freeipa001.loc.example.com. hostmaster.loc.example.com. 1590523365 3600 900 1209600 3600 ;; Query time: 0 msec ;; SERVER: 10.150.10.12#53(10.150.10.12) ;; WHEN: Tue May 26 15:38:26 CDT 2020 ;; MSG SIZE rcvd: 141 [andrew.meyer@jump01 ~]$ [andrew.meyer@jump01 ~]$ dig pihole01.loc.example.com A ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> pihole01.loc.example.com A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24317 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: da22b671a9a042aa3acbb8d95ecd71177b0f9a24a87f4651 (good) ;; QUESTION SECTION: ;pihole01.loc.example.com. IN A ;; AUTHORITY SECTION: loc.example.com. 3600 IN SOA freeipa001.loc.example.com. hostmaster.loc.example.com. 1590520949 3600 900 1209600 3600 ;; Query time: 0 msec ;; SERVER: 10.150.10.12#53(10.150.10.12) ;; WHEN: Tue May 26 14:42:15 CDT 2020 ;; MSG SIZE rcvd: 141 [andrew.meyer@jump01 ~]$ Here are the logs from bind on the freeipa server: 26-May-2020 15:27:24.686 validating asm-fedora.example.local/A: bad cache hit (local/DS) 26-May-2020 15:27:24.687 broken trust chain resolving 'asm-fedora.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:27:24.729 no valid RRSIG resolving 'asm-fedora/DS/IN': 10.150.10.40#53 26-May-2020 15:27:24.729 no valid DS resolving 'asm-fedora/A/IN': 10.150.10.40#53 26-May-2020 15:28:00.622 validating asm-fedora.example.local/A: bad cache hit (local/DS) 26-May-2020 15:28:00.622 broken trust chain resolving 'asm-fedora.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:28:00.636 validating asm-fedora/A: bad cache hit (asm-fedora/DS) 26-May-2020 15:28:00.636 broken trust chain resolving 'asm-fedora/A/IN': 10.150.10.40#53 26-May-2020 15:28:03.868 validating asm-fedora.example.local/A: bad cache hit (local/DS) 26-May-2020 15:28:03.869 broken trust chain resolving 'asm-fedora.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:28:03.886 validating asm-fedora/A: bad cache hit (asm-fedora/DS) 26-May-2020 15:28:03.886 broken trust chain resolving 'asm-fedora/A/IN': 10.150.10.40#53 26-May-2020 15:28:08.154 validating gold-ev-g2.ocsp.swisssign.net/CNAME: no valid signature found 26-May-2020 15:28:08.223 validating gold-ev-g2.ocsp.swisssign.net/CNAME: no valid signature found 26-May-2020 15:28:08.280 validating ocsp.swisssign.net/A: no valid signature found 26-May-2020 15:28:08.349 validating swisssign.net/SOA: no valid signature found 26-May-2020 15:28:08.350 validating ocsp.swisssign.net/NSEC: no valid signature found 26-May-2020 15:28:11.556 insecurity proof failed resolving 'incoming.telemetry.mozilla.org/A/IN': 10.150.10.40#53 26-May-2020 15:28:11.556 insecurity proof failed resolving 'incoming.telemetry.mozilla.org/AAAA/IN': 10.150.10.40#53 26-May-2020 15:28:12.683 insecurity proof failed resolving 'snippets.cdn.mozilla.net/A/IN': 10.150.10.40#53 26-May-2020 15:28:12.683 insecurity proof failed resolving 'snippets.cdn.mozilla.net/AAAA/IN': 10.150.10.40#53 26-May-2020 15:28:26.783 validating gold-server-g2.ocsp.swisssign.net/CNAME: no valid signature found 26-May-2020 15:28:26.897 validating gold-server-g2.ocsp.swisssign.net/CNAME: no valid signature found 26-May-2020 15:28:47.512 insecurity proof failed resolving 'consent.cookiebot.com/A/IN': 10.150.10.40#53 26-May-2020 15:28:47.512 insecurity proof failed resolving 'consent.cookiebot.com/AAAA/IN': 10.150.10.40#53 26-May-2020 15:29:45.969 validating vrty.org.example.local/A: bad cache hit (local/DS) 26-May-2020 15:29:45.969 broken trust chain resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:34:26.510 no valid RRSIG resolving 'local/DS/IN': 10.150.10.40#53 26-May-2020 15:34:26.510 no valid DS resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:39:28.026 validating vrty.org.example.local/A: bad cache hit (local/DS) 26-May-2020 15:39:28.026 broken trust chain resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:40:21.352 validating librenms.example.local/A: bad cache hit (local/DS) 26-May-2020 15:40:21.352 broken trust chain resolving 'librenms.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:40:21.370 validating grocy01.example.local/A: bad cache hit (local/DS) 26-May-2020 15:40:21.370 broken trust chain resolving 'grocy01.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:40:21.392 validating grocy01.example.local/MX: bad cache hit (local/DS) 26-May-2020 15:40:21.392 broken trust chain resolving 'grocy01.example.local/MX/IN': 10.150.10.40#53 26-May-2020 15:40:21.393 validating librenms.example.local/MX: bad cache hit (local/DS) 26-May-2020 15:40:21.393 broken trust chain resolving 'librenms.example.local/MX/IN': 10.150.10.40#53 26-May-2020 15:44:27.810 no valid RRSIG resolving 'local/DS/IN': 10.150.10.40#53 26-May-2020 15:44:27.810 no valid DS resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:46:40.756 validating pihole01.loc.example.com.example.local/AAAA: bad cache hit (local/DS) 26-May-2020 15:46:40.756 broken trust chain resolving 'pihole01.loc.example.com.example.local/AAAA/IN': 10.150.10.40#53 26-May-2020 15:46:40.760 validating pihole01.loc.example.com.example.local/A: bad cache hit (local/DS) 26-May-2020 15:46:40.760 broken trust chain resolving 'pihole01.loc.example.com.example.local/A/IN': 10.150.10.40#53 26-May-2020 15:48:52.134 insecurity proof failed resolving 'collection-endpoint-prod.herokuapp.com/A/IN': 10.150.10.40#53 26-May-2020 15:49:31.721 validating vrty.org.example.local/A: bad cache hit (local/DS) 26-May-2020 15:49:31.721 broken trust chain resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53 [root@freeipa001 data]# _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
