Responding to myself - for future reference. I found in /var/named/data/named.run that my parent zone (ims.example.com) failed to load. Turns out I had to implement a proper delegation: in the zone "ims.example.com" I had to add A entries for "rhel-ipa-replica.ams" and "rhel-ipa-newreplica.ams". Without it, the zone "ims.example.com" was considered incomplete, so IPA servers wouldn't load it...
The fact that my 2nd replica didn't show this problem was just a co-incidence - I didn't restart DNS on it since I've defined multiple zones like this. Otherwise it would fail to load that zone either. I've added the two missing A records, reloaded the zones, and now it works! -- Regards, Dmitry Perets. "The more one knows, the less opinions he shares" -- Wilhelm Schwebel On Thu, Mar 14, 2019 at 6:11 PM Dmitry Perets <[email protected]> wrote: > > Hi, > > I am experiencing a strange issue with DNS resolution between my replicas, > could you please help me to figure it out? > > My topology is: > > rhel-ipa.ims.example.com => rhel-ipa-replica.ams.ims.example.com => > rhel-ipa-newreplica.ams.ims.example.com > > All three are IPA servers with DNS. > And I've created two zones: "ims.example.com" and "ams.ims.example.com". > > It worked fine while I had just two first IPA servers, both servers could > resolve any host in any of the two zones. But now I added the third IPA > server (rhel-ipa-newreplica), and that new host cannot resolve anything in > the parent domain "ims.example.com"... > > $ dig rhel-ipa.ims.telekom.de > > ; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> rhel-ipa.ims.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61092 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;rhel-ipa.ims.example.com. IN A > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Thu Mar 14 18:02:46 CET 2019 > ;; MSG SIZE rcvd: 52 > > What am I missing here...? As per my understanding, each IPA server should > "feel" authoritative for each of the two zones, because they are replicated. > So even forwarding should not take place here... Btw I tried to play with > forwarder configuration, but so far - no luck. > > What am I missing for this setup to work...? > How to make rhel-ipa-newreplica to resolve hosts from parent domain...? > > -- > Regards, > Dmitry Perets. > > "The more one knows, the less opinions he shares" > -- Wilhelm Schwebel _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
