2014-09-22 9:29 GMT+03:00 Petr Spacek <pspa...@redhat.com>:

> 'IPA forwarders' are exactly the same as normal 'BIND forward zone' so
> they involve normal DNS cache.
Which type of forwarder do you have configured? Is your 'forwarding policy'
> set to 'first' (default) or 'only'?
> I have default forwarding policy:

[root@ipaserver1 ~]# ipa dnsconfig-show
  Global forwarders:

> Forwarding policy 'first' (combined with cache) could be the cause of your
> problem. 'First' policy instructs BIND to contact the configured server and
> if it fails (because of timeout) BIND will re-try the same query using
> normal recursion.
> Depending on your network configuration, the normal DNS recursion can
> return different results than forwarding(^1). In this case BIND can cache
> e.g. NXDOMAIN answer from some other server and this answer will stay in
> cache for TTL value in the given answer.
> As a result, IPA could get cached NXDOMAIN instead of correct SRV records
> for AD until the TTL in cache expires.
> This is of course a wild guess. Detailed logs from named (log level 5 or
> higher+querylog) could tell us what exactly happened.
This the named log after i increased the debug level to 5 and enabled


> Have a nice day!
> (^1) I would argue that this points to a flaw in network configuration...
The test involvement is just bunch of VMs in NAT configurations.

Petr^2 Spacek
Thank you for the help.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to