On 15.6.2016 09:37, Nuno Higgs wrote: > Hello Petr, > > [root@slave ~]# cat /var/log/ipareplica-install.log | grep -i DNSSEC | grep > -i not | grep -i support > > It’s empty.
Interesting. At this point I'm unable to say what happened to your install. If it happens again please get back to us and we will investigate. Petr^2 Spacek > > Thanks > Nuno > >> On 15 Jun 2016, at 07:45, Petr Spacek <pspa...@redhat.com> wrote: >> >> On 14.6.2016 17:29, Nuno Higgs wrote: >>> Hello, >>> >>> I am running CentOS7: >>> >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> >>> I configured my dos forward when i did the install process of the secondary >>> node of IPA: >>> >>> [root@slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder >>> 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg >> >> Interesting, 4.2.0 should checks to detect this problem. >> >> Could you check /var/log/ipareplica-install.log for warnings related to >> DNSSEC? >> >> It should be something like >> "DNS server <IP address> does not support DNSSEC" >> >> Thanks. >> >> Petr^2 Spacek >> >> >>> >>> Thanks, >>> Nuno >>> >>>> On 14 Jun 2016, at 15:28, Petr Spacek <pspa...@redhat.com> wrote: >>>> >>>> On 14.6.2016 13:01, Nuno Higgs wrote: >>>>> Hello, >>>>> >>>>> Found it: >>>>> >>>>> It appears that my forwarder is NOT DNSSEC happy: >>>>> >>>>> in: /var/named/data/named.run >>>>> >>>>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent >>>>> indicates it should be secure >>>>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 >>>>> >>>>> So, i changed the /etc/named.conf >>>>> >>>>> from: >>>>> >>>>> dnssec-enable yes; >>>>> dnssec-validation yes; >>>>> >>>>> to: >>>>> >>>>> dnssec-enable yes; >>>>> dnssec-validation no; >>>>> >>>>> Everything is working fine now. >>>> >>>> Okay, it explains a lot. >>>> >>>> Please note that configuration "dnssec-validation no;" lowers security bar >>>> for >>>> attackers and is strongly discouraged! >>>> >>>> The issue is most likely caused by non-compliant forwarder which mangles >>>> DNS >>>> data somehow before they reach your IPA DNS server. >>>> >>>> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is >>>> configured with its equivalent of "dnssec-enable yes;". I strongly >>>> recommend >>>> returning back to "dnssec-validation yes;" after fixing the forwarder >>>> config. >>>> >>>> IPA 4.3 or newer should print a warning about such broken forwarders >>>> whenever >>>> you try to configure them using IPA commands. >>>> >>>> What version of IPA do you use? >>>> >>>> How did you configure the forwarder in IPA? >>>> >>>> Petr^2 Spacek >>>> >>>>> >>>>> Thanks for your help! >>>>> Nuno >>>>> >>>>>> On 13 Jun 2016, at 10:14, Nuno Higgs <i...@border.nuneshiggs.com> wrote: >>>>>> >>>>>> Hello again, >>>>>> >>>>>> [root@ipa01 ~]# kinit user >>>>>> Password for user@DOMAIN.LOCAL: >>>>>> [root@ipa01 ~]# ipa dnsforwardzone-show domain.eu >>>>>> Zone name: domain.eu. >>>>>> Active zone: TRUE >>>>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>>>> Forward policy: only >>>>>> [root@ipa01 ~]# >>>>>> >>>>>> >>>>>> [root@ipa02 ~]# ipa dnsforwardzone-show domain.eu >>>>>> Zone name: domain.eu. >>>>>> Active zone: TRUE >>>>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>>>> Forward policy: only >>>>>> [root@ipa02 ~]# >>>>>> >>>>>> On both servers the return is the same. >>>>>> I haven't touched the DNS config besides deleting the zone and recreating >>>>>> it. >>>>>> >>>>>> I am at a loss. What can be the issue here? >>>>>> >>>>>> Thanks, >>>>>> Nuno >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: freeipa-users-boun...@redhat.com >>>>>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek >>>>>> Sent: segunda-feira, 13 de junho de 2016 06:50 >>>>>> To: freeipa-users@redhat.com >>>>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. >>>>>> >>>>>> On 12.6.2016 20:47, Nuno Higgs wrote: >>>>>>> Hello all, >>>>>>> >>>>>>> >>>>>>> >>>>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to >>>>>>> geographic replication. >>>>>>> >>>>>>> >>>>>>> >>>>>>> I have added it as stated in the documentation here: >>>>>>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu >>>>>>> x/7/ht >>>>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >>>>>>> replic >>>>>>> a.html#replica-install-with-dns> >>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >>>>>>> /7/htm >>>>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >>>>>>> eplica >>>>>>> .html#replica-install-with-dns >>>>>>> >>>>>>> >>>>>>> >>>>>>> All was replicated correctly, and i can do a kinit user@DOMAIN with >>>>>>> success within the replica. >>>>>>> >>>>>>> However there is a problem with the DNS sections: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Although it DNS is ok, my configuration within IPA on the first server >>>>>>> regarding DNS zones that are set on forward only are not. >>>>>>> >>>>>>> In my first server, i can do a forward of domain - let's say >>>>>>> <http://domain.eu> domain.eu. On the second server (replica) the >>>>>>> forward is shown configured correctly within the webgui but it does >>>>>>> not work, giving a NX error on query <http://www.domain.eu> >>>>>>> www.domain.eu (the A Record exists and is shown on the first server). >>>>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it >>>>>> isn't a network permissions issue. >>>>>>> >>>>>>> >>>>>>> >>>>>>> I have deleted the zone on the master (and replica), and recreated it. >>>>>>> On the first server, it worked fine. On the replica the problem >>>>>>> persisted. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Am I missing anything? Is there a undocumented trick, or have i missed >>>>>>> something? >>>>>> >>>>>> Hello, >>>>>> >>>>>> it could be either a DNS configuration problem or a LDAP replication >>>>>> problem. >>>>>> >>>>>> Please show us output from command: >>>>>> $ ipa dnsforwardzone-show domain.eu >>>>>> from all IPA servers you have. >>>>>> >>>>>> The output should be the same. If it is not the same then you are most >>>>>> likely facing an replication problem, please see >>>>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project