On 03/12/2015 12:17 AM, Dmitri Pal wrote:
> On 03/11/2015 04:37 PM, Steven Jones wrote:
>> ======
>> [root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns
>> --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg
>> --skip-conncheck
>> Checking forwarders, please wait ...
>> WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in
>> answers
>> Please fix forwarder configuration to enable DNSSEC support.
>> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
>> WARNING: DNSSEC validation will be disabled
>> ======
>>
>> The AD server is a win2k12r2.
>
> Thanks, I will follow up.
As Dmitri said, all automatic DNSSEC key handling did not make the cut in
RHEL-7.1. If you want to test DNSSEC, you are very welcome, but you would be
left with manual configuration as described in upstream article:
http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support
We, however, still left this error message to make users and customers aware
that their name server is not ready even for manual DNSSEC. However, I did a
short research, and win2k12r2 should already support DNSSEC. Maybe the support
needs to be enabled.
What DNS server do you have in /etc/resolv.conf? IPA DNS server + configured
DNS forward zone or do you have there AD IP address directly? Martin Basti
(CCed) recently found an issue with this check and DNS forwarders IIRC.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
