Hello Petr, [root@slave ~]# cat /var/log/ipareplica-install.log | grep -i DNSSEC | grep -i not | grep -i support
It’s empty. Thanks Nuno > On 15 Jun 2016, at 07:45, Petr Spacek <pspa...@redhat.com> wrote: > > On 14.6.2016 17:29, Nuno Higgs wrote: >> Hello, >> >> I am running CentOS7: >> >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> >> I configured my dos forward when i did the install process of the secondary >> node of IPA: >> >> [root@slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder >> 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg > > Interesting, 4.2.0 should checks to detect this problem. > > Could you check /var/log/ipareplica-install.log for warnings related to > DNSSEC? > > It should be something like > "DNS server <IP address> does not support DNSSEC" > > Thanks. > > Petr^2 Spacek > > >> >> Thanks, >> Nuno >> >>> On 14 Jun 2016, at 15:28, Petr Spacek <pspa...@redhat.com> wrote: >>> >>> On 14.6.2016 13:01, Nuno Higgs wrote: >>>> Hello, >>>> >>>> Found it: >>>> >>>> It appears that my forwarder is NOT DNSSEC happy: >>>> >>>> in: /var/named/data/named.run >>>> >>>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent >>>> indicates it should be secure >>>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 >>>> >>>> So, i changed the /etc/named.conf >>>> >>>> from: >>>> >>>> dnssec-enable yes; >>>> dnssec-validation yes; >>>> >>>> to: >>>> >>>> dnssec-enable yes; >>>> dnssec-validation no; >>>> >>>> Everything is working fine now. >>> >>> Okay, it explains a lot. >>> >>> Please note that configuration "dnssec-validation no;" lowers security bar >>> for >>> attackers and is strongly discouraged! >>> >>> The issue is most likely caused by non-compliant forwarder which mangles DNS >>> data somehow before they reach your IPA DNS server. >>> >>> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is >>> configured with its equivalent of "dnssec-enable yes;". I strongly recommend >>> returning back to "dnssec-validation yes;" after fixing the forwarder >>> config. >>> >>> IPA 4.3 or newer should print a warning about such broken forwarders >>> whenever >>> you try to configure them using IPA commands. >>> >>> What version of IPA do you use? >>> >>> How did you configure the forwarder in IPA? >>> >>> Petr^2 Spacek >>> >>>> >>>> Thanks for your help! >>>> Nuno >>>> >>>>> On 13 Jun 2016, at 10:14, Nuno Higgs <i...@border.nuneshiggs.com> wrote: >>>>> >>>>> Hello again, >>>>> >>>>> [root@ipa01 ~]# kinit user >>>>> Password for user@DOMAIN.LOCAL: >>>>> [root@ipa01 ~]# ipa dnsforwardzone-show domain.eu >>>>> Zone name: domain.eu. >>>>> Active zone: TRUE >>>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>>> Forward policy: only >>>>> [root@ipa01 ~]# >>>>> >>>>> >>>>> [root@ipa02 ~]# ipa dnsforwardzone-show domain.eu >>>>> Zone name: domain.eu. >>>>> Active zone: TRUE >>>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>>> Forward policy: only >>>>> [root@ipa02 ~]# >>>>> >>>>> On both servers the return is the same. >>>>> I haven't touched the DNS config besides deleting the zone and recreating >>>>> it. >>>>> >>>>> I am at a loss. What can be the issue here? >>>>> >>>>> Thanks, >>>>> Nuno >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: freeipa-users-boun...@redhat.com >>>>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek >>>>> Sent: segunda-feira, 13 de junho de 2016 06:50 >>>>> To: freeipa-users@redhat.com >>>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. >>>>> >>>>> On 12.6.2016 20:47, Nuno Higgs wrote: >>>>>> Hello all, >>>>>> >>>>>> >>>>>> >>>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to >>>>>> geographic replication. >>>>>> >>>>>> >>>>>> >>>>>> I have added it as stated in the documentation here: >>>>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu >>>>>> x/7/ht >>>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >>>>>> replic >>>>>> a.html#replica-install-with-dns> >>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >>>>>> /7/htm >>>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >>>>>> eplica >>>>>> .html#replica-install-with-dns >>>>>> >>>>>> >>>>>> >>>>>> All was replicated correctly, and i can do a kinit user@DOMAIN with >>>>>> success within the replica. >>>>>> >>>>>> However there is a problem with the DNS sections: >>>>>> >>>>>> >>>>>> >>>>>> Although it DNS is ok, my configuration within IPA on the first server >>>>>> regarding DNS zones that are set on forward only are not. >>>>>> >>>>>> In my first server, i can do a forward of domain - let's say >>>>>> <http://domain.eu> domain.eu. On the second server (replica) the >>>>>> forward is shown configured correctly within the webgui but it does >>>>>> not work, giving a NX error on query <http://www.domain.eu> >>>>>> www.domain.eu (the A Record exists and is shown on the first server). >>>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it >>>>> isn't a network permissions issue. >>>>>> >>>>>> >>>>>> >>>>>> I have deleted the zone on the master (and replica), and recreated it. >>>>>> On the first server, it worked fine. On the replica the problem >>>>>> persisted. >>>>>> >>>>>> >>>>>> >>>>>> Am I missing anything? Is there a undocumented trick, or have i missed >>>>>> something? >>>>> >>>>> Hello, >>>>> >>>>> it could be either a DNS configuration problem or a LDAP replication >>>>> problem. >>>>> >>>>> Please show us output from command: >>>>> $ ipa dnsforwardzone-show domain.eu >>>>> from all IPA servers you have. >>>>> >>>>> The output should be the same. If it is not the same then you are most >>>>> likely facing an replication problem, please see >>>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues >>>>> >>>>> -- >>>>> Petr^2 Spacek >> >> > > > -- > Petr Spacek @ Red Hat
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project