2014-09-22 9:29 GMT+03:00 Petr Spacek <pspa...@redhat.com>: > 'IPA forwarders' are exactly the same as normal 'BIND forward zone' so > they involve normal DNS cache. > Which type of forwarder do you have configured? Is your 'forwarding policy' > set to 'first' (default) or 'only'? > > I have default forwarding policy:
[root@ipaserver1 ~]# ipa dnsconfig-show Global forwarders: 192.168.227.60 > Forwarding policy 'first' (combined with cache) could be the cause of your > problem. 'First' policy instructs BIND to contact the configured server and > if it fails (because of timeout) BIND will re-try the same query using > normal recursion. > > Depending on your network configuration, the normal DNS recursion can > return different results than forwarding(^1). In this case BIND can cache > e.g. NXDOMAIN answer from some other server and this answer will stay in > cache for TTL value in the given answer. > > As a result, IPA could get cached NXDOMAIN instead of correct SRV records > for AD until the TTL in cache expires. > > This is of course a wild guess. Detailed logs from named (log level 5 or > higher+querylog) could tell us what exactly happened. > > This the named log after i increased the debug level to 5 and enabled querylog: https://gist.github.com/anonymous/89308cbca3b07252674c > Have a nice day! > > (^1) I would argue that this points to a flaw in network configuration... > > The test involvement is just bunch of VMs in NAT configurations. Petr^2 Spacek > > Thank you for the help.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project