On 03/12/2015 12:17 AM, Dmitri Pal wrote: > On 03/11/2015 04:37 PM, Steven Jones wrote: >> ====== >> [root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns >> --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg >> --skip-conncheck >> Checking forwarders, please wait ... >> WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in >> answers >> Please fix forwarder configuration to enable DNSSEC support. >> (For BIND 9 add directive "dnssec-enable yes;" to "options {}") >> WARNING: DNSSEC validation will be disabled >> ====== >> >> The AD server is a win2k12r2. > > Thanks, I will follow up.
As Dmitri said, all automatic DNSSEC key handling did not make the cut in RHEL-7.1. If you want to test DNSSEC, you are very welcome, but you would be left with manual configuration as described in upstream article: http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support We, however, still left this error message to make users and customers aware that their name server is not ready even for manual DNSSEC. However, I did a short research, and win2k12r2 should already support DNSSEC. Maybe the support needs to be enabled. What DNS server do you have in /etc/resolv.conf? IPA DNS server + configured DNS forward zone or do you have there AD IP address directly? Martin Basti (CCed) recently found an issue with this check and DNS forwarders IIRC. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project