31.07.2020 2:03, Christian Hernandez via FreeIPA-users пишет: > I'm having an issue delegating a subdomain. My domain is cloud.chx and I > ran the following. > > ipa dnsrecord-add cloud.chx dc1.ad --a-rec=192.168.1.253 > ipa dnsrecord-add 1.168.192.in-addr.arpa. 253 --ptr-rec=dc1.ad.cloud.chx. > ipa dnsrecord-add cloud.chx ad --ns-rec=dc1.ad.cloud.chx. > > > I checked and it's in the config > > [root@ipa1 ~]# dig axfr cloud.chx | grep ad > ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. > dc1.ad.cloud.chx. 86400 IN A 192.168.1.253 > > > But when I query, it doesn't return what I expected. > > [root@ipa1 ~]# dig dc1.ad.cloud.chx NS > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15346 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;dc1.ad.cloud.chx. IN NS > > ;; Query time: 27 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Thu Jul 30 15:48:03 PDT 2020 > ;; MSG SIZE rcvd: 45 > > > The other DNS server is up and running. > > [root@ipa1 ~]# dig @192.168.1.253 dc1.ad.cloud.chx > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @192.168.1.253 > dc1.ad.cloud.chx > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64777 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4000 > ;; QUESTION SECTION: > ;dc1.ad.cloud.chx. IN A > > ;; ANSWER SECTION: > dc1.ad.cloud.chx. 3600 IN A 192.168.1.253 > > ;; Query time: 1 msec > ;; SERVER: 192.168.1.253#53(192.168.1.253) > ;; WHEN: Thu Jul 30 15:59:21 PDT 2020 > ;; MSG SIZE rcvd: 61 > > > This is worth noting that adding +norec works. > > [root@ipa1 ~]# dig dc1.ad.cloud.chx NS +norec > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS > +norec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36273 > ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;dc1.ad.cloud.chx. IN NS > > ;; AUTHORITY SECTION: > ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. > > ;; ADDITIONAL SECTION: > dc1.ad.cloud.chx. 86400 IN A 192.168.1.253 > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Thu Jul 30 15:59:39 PDT 2020 > ;; MSG SIZE rcvd: 75 > > Is there anything I'm missing?
Do you have the validating resolver(DNSSEC-aware recursive server) listening on 127.0.0.1#53? And if Yes then do you have DS RRs in the parent zone for the delegated one? https://www.isc.org/dnssec/ https://downloads.isc.org/isc/dnssec-guide/dnssec-guide.pdf
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org