[Freeipa-users] Re: ipaserver.ipa.1017.abc can not serve DNS for 1017.abc

Alexander Bokovoy via FreeIPA-users Tue, 08 Aug 2023 23:07:52 -0700

On Аўт, 08 жні 2023, Alan Latteri via FreeIPA-users wrote:

Hello Alexander,


I've created a fresh IPA VM as:
ipaserver.subdomain.domain.abc123

I've then created 2 new zones:
domain.abc123
domain02.abc123

along with host entries for:
host01.domain.abc123
host02.domain02.abc123

domain.abc123 does NOT serve.
domain02.abc123 serves properly.

I've uploaded the logs to:
http://instinctual.io/ipa_dns_problem.zip


Thanks. named.log shows this:

08-Aug-2023 13:49:30.949 zoneload: debug 1: zone domain.abc123/IN: starting load
08-Aug-2023 13:49:30.949 general: error: zone domain.abc123/IN: NS 
'ipaserver.subdomain.domain.abc123' has no address records (A or AAAA)
08-Aug-2023 13:49:30.949 zoneload: debug 1: zone domain.abc123/IN: loaded; 
checking validity
08-Aug-2023 13:49:30.949 zoneload: error: zone domain.abc123/IN: not loaded due 
to errors.
08-Aug-2023 13:49:30.950 general: debug 1: zone_settimer: zone 
domain02.abc123/IN: enter

Typically, when you define NS record, it should be something that is
already resolvable through other means. In this case BIND cannot resolve
'ipaserver.subdomain.domain.abc123' because it cannot load domain.abc123
zone and 'ipaserver.subdomain.domain.abc123' should presumably be under
a subdomain of a domain 'domain.abc123'.


Additionally you can see more info below.

Thank you.

[root@ipaserver ~]# ipa dnsserver-find
--------------------
1 DNS server matched
--------------------
 Server name: ipaserver.subdomain.domain.abc123
 SOA mname override: ipaserver.subdomain.domain.abc123.
 Forwarders: 8.8.8.8, 9.9.9.9
 Forward policy: only
----------------------------
Number of entries returned 1
----------------------------
[root@ipaserver ~]# ipa dnszone-show domain.abc123 --all
 dn: idnsname=domain.abc123.,cn=dns,dc=subdomain,dc=domain,dc=abc123
 Zone name: domain.abc123.
 Active zone: True
 Authoritative nameserver: ipaserver.subdomain.domain.abc123.
 Administrator e-mail address: hostmaster
 SOA serial: 1691527770
 SOA refresh: 3600
 SOA retry: 900
 SOA expire: 1209600
 SOA minimum: 3600
 BIND update policy: grant SUBDOMAIN.DOMAIN.ABC123 krb5-self * A; grant 
SUBDOMAIN.DOMAIN.ABC123 krb5-self * AAAA; grant SUBDOMAIN.DOMAIN.ABC123 
krb5-self * SSHFP;
 Dynamic update: False
 Allow query: any;
 Allow transfer: none;
 nsrecord: ipaserver.subdomain.domain.abc123.
 objectclass: top, idnsrecord, idnszone
[root@ipaserver ~]# dig @ipaserver.subdomain.domain.abc123 host01.domain.abc123

; <<>> DiG 9.16.23-RH <<>> @ipaserver.subdomain.domain.abc123 
host01.domain.abc123
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27117
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b069cd5202410b030100000064d2aae579c12b1d0b769bab (good)
;; QUESTION SECTION:
;host01.domain.abc123.          IN      A

;; Query time: 2 msec
;; SERVER: 10.55.2.2#53(10.55.2.2)
;; WHEN: Tue Aug 08 13:51:49 PDT 2023
;; MSG SIZE  rcvd: 77

[root@ipaserver ~]# nslookup host01.domain.abc123 
ipaserver.subdomain.domain.abc123
Server:         ipaserver.subdomain.domain.abc123
Address:        10.55.2.2#53

** server can't find host01.domain.abc123: SERVFAIL

[root@ipaserver ~]# dig @ipaserver.subdomain.domain.abc123 
host02.domain02.abc123

; <<>> DiG 9.16.23-RH <<>> @ipaserver.subdomain.domain.abc123 
host02.domain02.abc123
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58676
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1bd570e5dd3340280100000064d2aaf58c5886a84c70ed89 (good)
;; QUESTION SECTION:
;host02.domain02.abc123.                IN      A

;; ANSWER SECTION:
host02.domain02.abc123. 86400   IN      A       10.55.4.4

;; Query time: 1 msec
;; SERVER: 10.55.2.2#53(10.55.2.2)
;; WHEN: Tue Aug 08 13:52:05 PDT 2023
;; MSG SIZE  rcvd: 95

[root@ipaserver ~]# nslookup host02.domain02.abc123 
ipaserver.subdomain.domain.abc123
Server:         ipaserver.subdomain.domain.abc123
Address:        10.55.2.2#53

Name:   host02.domain02.abc123
Address: 10.55.4.4
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipaserver.ipa.1017.abc can not serve DNS for 1017.abc

Reply via email to