On 15/07/15 15:07, Nevada Sanchez wrote:
On Wednesday, July 15, 2015, Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>> wrote:

    On 14/07/15 19:12, Nevada Sanchez wrote:
    I have FreeIPA setup as our primary DNS on an AWS VPC. I setup
    global forwarding ('Forward First') so that it will forward
    queries to Amazon's DNS, and then fall back on IPA if it doesn't
    see a hit.

    This works perfectly fine for forward DNS lookups:

    $ # This host does not exist on FreeIPA, but does on Amazon DNS
    $ host ip-10-0-6-17.ec2.internal
    ip-10-0-6-17.ec2.internal has address 10.0.6.17

    However,  for reverse lookups, it doesn't seem to get forwarded

    $ # Same host, reverse lookup fails at FreeIPA
    $ host 10.0.6.17
    Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN)

    $ # Explicitly forwarding to Amazon DNS, reverse lookup works
    $ host 10.0.6.17 10.0.0.2
    Using domain server:
    Name: 10.0.0.2
    Address: 10.0.0.2#53
    Aliases:
    17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal.

    Please help. Thanks!

-- *Nevada Sanchez*
    Co-Founder, ASIC Design Team Lead
    <http://www.butterflynetinc.com/>
    tel: 203.689.5650 x314 | mobile: 775.863.8726
    Come join us <http://www.4combinator.com/#opportunities> and put
    a dent in the universe!


    Hello, do you have any reverse zones configured on IPA DNS? (with
    suffix 10.in-addr.arpa)?

-- Martin Basti

Yes.


--
*Nevada Sanchez*
Co-Founder, ASIC Design Team Lead
<http://www.butterflynetinc.com/>
tel: 203.689.5650 x314 | mobile: 775.863.8726
Come join us <http://www.4combinator.com/#opportunities> and put a dent in the universe!

Do you have configured proper delegation via NS records to subzones of 10.in-addr.arpa. on IPA DNS? Respectively do you have delegation for 6.0.10.in-addr.arpa. zone to Amazon DNS?

Please notice that forward first doesn't mean that the forwarder will be contacted first, then fallback to IPA. Forward first means if there is no authoritative zone in IPA server, query will be forwarded to forwarder, if forwarder doesn't return the answer, then recursive search (if allowed) will be used from root zone. You have 10.in-addr.arpa. zone configured, so it is authoritative zone for 17.6.0.10.in-addr.arpa. query, and you will get the authoritative answer NXDOMAIN, there is no need for forwarding.
You need to add an delegation
ipa dnsrecord-add 10.in-addr.arpa. 6.0.10.in-addr.arpa. --ns-rec=amazon.dns.

HTH

--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to