Hello, On Tue, Apr 21, 2020 at 1:20 PM Tiemen Ruiten <t.rui...@tech-lab.io> wrote:
> On Tue, Apr 21, 2020 at 1:10 PM Tiemen Ruiten <t.rui...@tech-lab.io> > wrote: > >> Hello, >> >> On Tue, Apr 21, 2020 at 12:46 PM François Cami <fc...@redhat.com> wrote: >> >>> Hi, >>> >>> On Tue, Apr 21, 2020 at 12:19 PM Tiemen Ruiten via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org> wrote: >>> > >>> > Hello, >>> > >>> > Since a few days ago, we're having issues with resolution of this >>> hostname: >>> > >>> > download.wisselkoersenvoorjeadministratie.nl >>> > >>> > Our FreeIPA DNS servers return SERVFAIL for that particular hostname. >>> What's funny, after I do a (successful) lookup directly at one of the >>> configured forwarders, 1.1.1.1, resolution works, until the TTL expires. >>> Other hostnames work fine. How can I troubleshoot this? >>> >>> Please have a look at the logs: >>> https://www.freeipa.org/page/Troubleshooting/DNS#Getting_logs >>> There should be some entry at the time you reproduce the issue. >>> >> >> No lines related to named in /var/log/messages. >> >> I set debug logging with 'rndc trace' on the IPA nameserver that's being >> queried and this shows up in named.run when I query the hostname: >> >> 21-Apr-2020 13:07:37.912 fetch: >> download.wisselkoersenvoorjeadministratie.nl/A >> 21-Apr-2020 13:07:37.939 client @0x7fcee8031200 10.100.120.47#36751 ( >> download.wisselkoersenvoorjeadministratie.nl): query failed (SERVFAIL) >> for download.wisselkoersenvoorjeadministratie.nl/IN/A at >> ../../../bin/named-pkcs11/query.c:8580 >> > > Added debug level 3, here's a failed lookup and a successful one (after > lookup @1.1.1.1): > > [root@ipa-ams-02 ter]# tail -f /var/named/data/named.run | grep > wisselkoersen > 21-Apr-2020 13:16:21.397 client @0x7fcef1c8d350 10.100.120.47#35525 ( > download.wisselkoersenvoorjeadministratie.nl): query (cache) ' > download.wisselkoersenvoorjeadministratie.nl/A/IN' approved > 21-Apr-2020 13:16:21.397 client @0x7fcef1c8d350 10.100.120.47#35525 ( > download.wisselkoersenvoorjeadministratie.nl): replace > 21-Apr-2020 13:16:21.398 fetch: > download.wisselkoersenvoorjeadministratie.nl/A > 21-Apr-2020 13:16:21.421 client @0x7fcef1c8d350 10.100.120.47#35525 ( > download.wisselkoersenvoorjeadministratie.nl): query failed (SERVFAIL) > for download.wisselkoersenvoorjeadministratie.nl/IN/A at > ../../../bin/named-pkcs11/query.c:8580 > 21-Apr-2020 13:16:21.422 client @0x7fcef1c8d350 10.100.120.47#35525 ( > download.wisselkoersenvoorjeadministratie.nl): error > 21-Apr-2020 13:16:21.422 client @0x7fcef1c8d350 10.100.120.47#35525 ( > download.wisselkoersenvoorjeadministratie.nl): send > 21-Apr-2020 13:16:21.422 client @0x7fcef1c8d350 10.100.120.47#35525 ( > download.wisselkoersenvoorjeadministratie.nl): sendto > 21-Apr-2020 13:16:21.422 client @0x7fcef1c8d350 10.100.120.47#35525 ( > download.wisselkoersenvoorjeadministratie.nl): senddone > 21-Apr-2020 13:16:21.422 client @0x7fcef1c8d350 10.100.120.47#35525 ( > download.wisselkoersenvoorjeadministratie.nl): next > 21-Apr-2020 13:16:21.422 client @0x7fcef1c8d350 10.100.120.47#35525 ( > download.wisselkoersenvoorjeadministratie.nl): endrequest > 21-Apr-2020 13:16:21.422 fetch completed at > ../../../lib/dns-pkcs11/resolver.c:3754 for > download.wisselkoersenvoorjeadministratie.nl/A in 0.023506: > SERVFAIL/success [domain:wisselkoersenvoorjeadministratie.nl > ,referral:0,restart:2,qrysent:2,timeout:0,lame:0,quota:0,neterr:0,badresp:2,adberr:0,findfail:0,valfail:0] > ^C > > [root@ipa-ams-02 ter]# tail -f /var/named/data/named.run | grep > wisselkoersen > 21-Apr-2020 13:17:15.389 client @0x7fcef000c580 10.100.120.47#40143 ( > download.wisselkoersenvoorjeadministratie.nl): query (cache) ' > download.wisselkoersenvoorjeadministratie.nl/A/IN' approved > 21-Apr-2020 13:17:15.389 client @0x7fcef000c580 10.100.120.47#40143 ( > download.wisselkoersenvoorjeadministratie.nl): replace > 21-Apr-2020 13:17:15.389 fetch: > download.wisselkoersenvoorjeadministratie.nl/A > 21-Apr-2020 13:17:15.403 fctx 0x7fcee981b0d0( > download.wisselkoersenvoorjeadministratie.nl/A): looking for relevant > NSEC3 > 21-Apr-2020 13:17:15.403 fctx 0x7fcee981b0d0( > download.wisselkoersenvoorjeadministratie.nl/A): NSEC3 proves name does > not exist: 'download.wisselkoersenvoorjeadministratie.nl' > 21-Apr-2020 13:17:15.403 fctx 0x7fcee981b0d0( > download.wisselkoersenvoorjeadministratie.nl/A): NSEC3 indicates secure > range > 21-Apr-2020 13:17:15.403 client @0x7fcef000c580 10.100.120.47#40143 ( > download.wisselkoersenvoorjeadministratie.nl): send > 21-Apr-2020 13:17:15.403 client @0x7fcef000c580 10.100.120.47#40143 ( > download.wisselkoersenvoorjeadministratie.nl): sendto > 21-Apr-2020 13:17:15.403 client @0x7fcef000c580 10.100.120.47#40143 ( > download.wisselkoersenvoorjeadministratie.nl): senddone > 21-Apr-2020 13:17:15.403 client @0x7fcef000c580 10.100.120.47#40143 ( > download.wisselkoersenvoorjeadministratie.nl): next > 21-Apr-2020 13:17:15.403 client @0x7fcef000c580 10.100.120.47#40143 ( > download.wisselkoersenvoorjeadministratie.nl): endrequest > > Does anyone have an idea? There is at least one domain that is showing the same behaviour that I found: www.regenboog-lelystad.nl. -- Tiemen Ruiten Infrastructure Engineer
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org