On 24.9.2014 18:00, Genadi Postrilko wrote:
2014-09-22 9:29 GMT+03:00 Petr Spacek <pspa...@redhat.com>:

'IPA forwarders' are exactly the same as normal 'BIND forward zone' so
they involve normal DNS cache.

Which type of forwarder do you have configured? Is your 'forwarding policy'
set to 'first' (default) or 'only'?

I have default forwarding policy:

[root@ipaserver1 ~]# ipa dnsconfig-show
   Global forwarders:

Okay, your configuration is using default forwarding policy 'first'.

You can set it to 'only' using command
$ ipa dnsconfig-mod --forward-policy=only

I guess that it will fix the problem.

Forwarding policy 'first' (combined with cache) could be the cause of your
problem. 'First' policy instructs BIND to contact the configured server and
if it fails (because of timeout) BIND will re-try the same query using
normal recursion.

Depending on your network configuration, the normal DNS recursion can
return different results than forwarding(^1). In this case BIND can cache
e.g. NXDOMAIN answer from some other server and this answer will stay in
cache for TTL value in the given answer.

As a result, IPA could get cached NXDOMAIN instead of correct SRV records
for AD until the TTL in cache expires.

This is of course a wild guess. Detailed logs from named (log level 5 or
higher+querylog) could tell us what exactly happened.

This the named log after i increased the debug level to 5 and enabled


Unfortunately the log doesn't contain any information. I guess that you did not reproduce the problem after changing the debug level ...

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to