Sorry no errors in the logs even with the debug setting. I think we are not really looking for the right thing. Let me try to describe the problem again.
When I configure my ipa server to use a global forwarder (8.8.8.8 or 8.8.4.4) I can do a dig and I get a list of the root dns servers. When I remove the global forwarder. I can still do the dig but I get no root server list. dig ; <<>> DiG 9.11.36-RedHat-9.11.36-5.el8_7.2 <<>> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49739 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e5e719fe62224931a23c9f9c63812c875a0a53b97e2e11de (good) ;; QUESTION SECTION: ;. IN NS ;; Query time: 111 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Nov 25 21:58:47 CET 2022 ;; MSG SIZE rcvd: 56 < nothing after the previous line except a bash prompt > There should be a list of root dns servers. Local dns domain resolving works fine. There is no firewall blocking this. (global forwarder 8.8.8.8 works fine) Really weird. Rob Op vr 25 nov. 2022 om 16:30 schreef Florence Blanc-Renaud <f...@redhat.com>: > Hi, > > you can log the debug messages from bind and check if they provide any > additional hint. > > sed -i "s/severity info;/severity debug;/" /etc/named/ipa-logging-ext.conf > systemctl restart named > > Then perform a dig query outside the ipa domain and check the logs in > /var/named/data/*log. > > HTH, > flo > > On Thu, Nov 24, 2022 at 11:12 AM Rob Verduijn <rob.verdu...@gmail.com> > wrote: > >> Hello, dnssec validation was already off. >> And it still fails. >> >> Rob >> >> Op do 24 nov. 2022 08:49 schreef Florence Blanc-Renaud <f...@redhat.com>: >> >>> Hi, >>> I wonder if you're hitting *Bug 1999321* >>> <https://bugzilla.redhat.com/show_bug.cgi?id=1999321> - DNS often stops >>> resolving properly after FreeIPA server upgrade to Fedora 35 or 36 >>> >>> The workaround would be to disable dnssec validation. Edit >>> /etc/named/ipa-options-ext.conf or /etc/named.conf (depending on your >>> version) and replace >>> dnssec-validation yes >>> with >>> dnssec-validation no >>> >>> Then restart named. >>> >>> HTH, >>> flo >>> >>> On Tue, Nov 22, 2022 at 3:59 PM Rob Verduijn via FreeIPA-users < >>> freeipa-users@lists.fedorahosted.org> wrote: >>> >>>> Hello, >>>> >>>> I've found an issue with my ipa dns setup. >>>> >>>> all local dns queries work fine. >>>> However queries outside my ipa domain fail most of the time. >>>> >>>> I found this error in the logs: >>>> managed-keys-zone: Unable to fetch DNSKEY set '.': timed out >>>> >>>> I think that this causes my problems with external dns. >>>> >>>> Anybody who knows how to deal with this ? >>>> Rob >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
