2014-09-22 9:29 GMT+03:00 Petr Spacek <pspa...@redhat.com>:

> 'IPA forwarders' are exactly the same as normal 'BIND forward zone' so
> they involve normal DNS cache.
>
Which type of forwarder do you have configured? Is your 'forwarding policy'
> set to 'first' (default) or 'only'?
>
> I have default forwarding policy:

[root@ipaserver1 ~]# ipa dnsconfig-show
  Global forwarders: 192.168.227.60


> Forwarding policy 'first' (combined with cache) could be the cause of your
> problem. 'First' policy instructs BIND to contact the configured server and
> if it fails (because of timeout) BIND will re-try the same query using
> normal recursion.
>
> Depending on your network configuration, the normal DNS recursion can
> return different results than forwarding(^1). In this case BIND can cache
> e.g. NXDOMAIN answer from some other server and this answer will stay in
> cache for TTL value in the given answer.
>
> As a result, IPA could get cached NXDOMAIN instead of correct SRV records
> for AD until the TTL in cache expires.
>
> This is of course a wild guess. Detailed logs from named (log level 5 or
> higher+querylog) could tell us what exactly happened.
>
>
This the named log after i increased the debug level to 5 and enabled
querylog:

https://gist.github.com/anonymous/89308cbca3b07252674c


> Have a nice day!
>
> (^1) I would argue that this points to a flaw in network configuration...
>
>
The test involvement is just bunch of VMs in NAT configurations.

Petr^2 Spacek
>
>
Thank you for the help.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to