I don't know if this is a bug or intended behavior, but if I set those values
also in named.conf manually, forwarding of arpa zones works.
I had to do this :
---snip---
forward only;
forwarders { 10.21.0.14; 10.21.0.15; };
---snip---
Previously my file looked like this
---snip ---
forward only;
forwarders { };
---snip---
But that shouldn't have mattered, because the server was properly using the
ldap global settings for forwarding regular lookups and overriding the
named.conf settings properly.
From: [email protected]
[mailto:[email protected]] On Behalf Of Nathan Peters
Sent: January-26-16 6:03 PM
To: [email protected]
Subject: [Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse
lookup zones
I have my FreeIPA server setup with a forward only policy for DNS.
If I perform an nslookup against either of the configured forward servers, I
can do a reverse lookup properly.
If I perform the same nslookup against my local server, it will not find the
entry.
I have confirmed that there are no conflicting zones or reverse zones on my
FreeIPA server.
Tests below :
1. Show forwarding configuration
2. Test lookup against localhost of own domain name (prove we can find
records we host as primary)
3. Prove we can do forward lookup on the host that we can't reverse lookup on
4. Reverse lookup fails against localhost
5. Reverse lookup succeeds against forward server 1
6. Reverse lookup succeeds against forward server 2
So... if I am set to always forward, and I don't host this domain (or a parent
of it), and I can lookup the server on my forwarded domains,
Then... why can't that query get forwarded properly according to my forwarding
settings ?
1. ===========================
[root@dc2-ipa-dev-van ~]# ipa dnsconfig-show
Global forwarders: 10.21.0.15, 10.21.0.14
Forward policy: only
Allow PTR sync: TRUE
2. ===========================
[root@dc2-ipa-dev-van ~]# nslookup
> dc2-ipa-dev-van.dev-mydomain.net
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: dc2-ipa-dev-van.dev-mydomain.net
Address: 10.21.0.98
3. ===========================
> officedc2.office.mydomain.net
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: officedc2.office.mydomain.net
Address: 10.6.60.6
4. ===========================
> 10.6.60.6
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find 6.60.6.10.in-addr.arpa: NXDOMAIN
5. ===========================
> server 10.21.0.14
Default server: 10.21.0.14
Address: 10.21.0.14#53
> 10.6.60.6
Server: 10.21.0.14
Address: 10.21.0.14#53
Non-authoritative answer:
6.60.6.10.in-addr.arpa name = officedc2.office.mydomain.net.
Authoritative answers can be found from:
6. ===========================
> server 10.21.0.15
Default server: 10.21.0.15
Address: 10.21.0.15#53
> 10.6.60.6
Server: 10.21.0.15
Address: 10.21.0.15#53
Non-authoritative answer:
6.60.6.10.in-addr.arpa name = officedc2.office.mydomain.net.
Authoritative answers can be found from:
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
