Re: [Freeipa-users] Lookups Failing With AD Forwarder (and DNSSEC)

Thu, 19 Jan 2017 01:01:30 -0800 


On 18.01.2017 20:52, Jason B. Nance wrote:

I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set to an
Active Directory domain controller.  When a client attempts to lookup any DNS
record other than those to which FreeIPA is authoritative the client reports
NXDOMAIN and the FreeIPA server has the following in its logs:

(first lookup)
Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no
valid RRSIG) resolving 'zone/DS/IN': 10.48.8.18#53
Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no
valid DS) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 10.48.8.18#53

(subsequent lookups)
Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: validating
@0x7f7a40983ea0: sl1mmgpwtdc0001.tkc.gen.zone A: bad cache hit (zone/DS)
Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error
(broken trust chain) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN':
10.48.8.18#53

In my case, ipa.tkc.gen.zone is served by FreeIPA and tkc.gen.zone is served by
AD (as is gen.zone).  10.48.8.18 is an AD domain controller for tkc.gen.zone
(and the forwarder the FreeIPA servers are pointed at).

I've tried "rndc flush" and "rndc flushname ." on the FreeIPA boxes.  We've
tried both NSEC3 and NSEC.

Anyone have guidance as to what may be going on?

Thanks,

j


you use non-existent TLD domain or TLD domain doesn't have DS record of
your zone, so this is expected behavior for DNSSEC considered as attack.
You have to disable DNSSEC validation on all IPA DNS servers in
/etc/named.conf in first case or fix incorrect/missing DS record in
second case.

The 'zone.' is registered TLD, so if you own it you have probably
missing DS record in path, thus broken trust chain.
If you don't own the TLD, you shouldn't use it at all.

Hi Martin,

Thank you for the reply, and sorry for the delay in response.  My employer owns the 
"gen.zone" domain.  It is used internally only, and served by an Active 
Directory domain controller.

It appears, though, that our registrar does not support DNSSEC for .zone 
domains even though the .zone TLD in general does support DNSSEC.

:-\

j







Ok if you own the zone the it is ok, from logs I see it has actually 
issues with "zone." itself. It may mean that the forwarders you are 
using are not DNSSEC compatible, can you try dig +dnssec @forwarder-ip 
zone. DS if answer contains RRSIG records?


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






















					Reply via email to