On 12/03/15 08:30, Martin Kosek wrote:
On 03/12/2015 12:17 AM, Dmitri Pal wrote:
On 03/11/2015 04:37 PM, Steven Jones wrote:
[root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns
--forwarder= -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg
Checking forwarders, please wait ...
WARNING: DNS forwarder does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled

The AD server is a win2k12r2.
Thanks, I will follow up.
As Dmitri said, all automatic DNSSEC key handling did not make the cut in
RHEL-7.1. If you want to test DNSSEC, you are very welcome, but you would be
left with manual configuration as described in upstream article:


We, however, still left this error message to make users and customers aware
that their name server is not ready even for manual DNSSEC. However, I did a
short research, and win2k12r2 should already support DNSSEC. Maybe the support
needs to be enabled.

What DNS server do you have in /etc/resolv.conf? IPA DNS server + configured
DNS forward zone or do you have there AD IP address directly? Martin Basti
(CCed) recently found an issue with this check and DNS forwarders IIRC.

IPA tests forwarders, if they are able to return signed root zone.
It is not issue with test itself, we always found a misconfiguration on a forwarder side. The issue is warning message, because problems reported as DNSSEC failure usually have different root cause (which also prevent to use DNSSEC). We plan to make this validation more specific, to report correct issues.
This check happens only for global forwarders.

IPA automatically disable DNSSEC validation during installation, if any of configured global forwarders are not DNSSEC capable. With enabled DNSSEC validation, DNS server may drop unsigned responses from forwarder.


Martin Basti

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to