On 03/12/2015 12:17 AM, Dmitri Pal wrote:
> On 03/11/2015 04:37 PM, Steven Jones wrote:
>> ======
>> [root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns
>> --forwarder= -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg 
>> --skip-conncheck
>> Checking forwarders, please wait ...
>> WARNING: DNS forwarder does not return DNSSEC signatures in 
>> answers
>> Please fix forwarder configuration to enable DNSSEC support.
>> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
>> WARNING: DNSSEC validation will be disabled
>> ======
>> The AD server is a win2k12r2.
> Thanks, I will follow up.

As Dmitri said, all automatic DNSSEC key handling did not make the cut in
RHEL-7.1. If you want to test DNSSEC, you are very welcome, but you would be
left with manual configuration as described in upstream article:


We, however, still left this error message to make users and customers aware
that their name server is not ready even for manual DNSSEC. However, I did a
short research, and win2k12r2 should already support DNSSEC. Maybe the support
needs to be enabled.

What DNS server do you have in /etc/resolv.conf? IPA DNS server + configured
DNS forward zone or do you have there AD IP address directly? Martin Basti
(CCed) recently found an issue with this check and DNS forwarders IIRC.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to