On 08/11/2015 04:47 PM, Nikola Kržalić wrote:
reverse DNS lookup stopped working after I broke some replication
agreements (perhaps unrelated, but worth mentioning). Regular A
records resolve fine.
The records can be seen in LDAP (using ldapsearch with GSSAPI after
kinit -t /etc/named.keytab):

the zone:

# 0.63.10.in-addr.arpa., dns, ipa.example.net
dn: idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net
idnsUpdatePolicy: grant IPA.example.NET krb5-self * PTR; grant IPA.example.NET
   krb5-self * SSHFP;
idnsAllowDynUpdate: TRUE
idnsAllowSyncPTR: TRUE
idnsSOAserial: 1439302482
idnsSOArName: hostmaster.ipa.example.net.
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: ldap1.example.lan.
idnsSOAminimum: 3600
objectClass: idnszone
objectClass: top
objectClass: idnsrecord
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOArefresh: 3600
idnsAllowQuery: any;
idnsName: 0.63.10.in-addr.arpa.
idnsSOAmName: ldap1.example.lan.

the entry:
# 68, 0.63.10.in-addr.arpa., dns, ipa.example.net
dn: idnsname=68,idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net
objectClass: top
objectClass: idnsrecord
cNAMERecord: ds02.example.lan.
idnsName: 68

but the reverse dns lookup fails anyway:

[root@ldap1 ~]# dig -x

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> -x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59911
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096

10.in-addr.arpa. 86400 IN SOA 10.in-addr.arpa. . 0 28800 7200 604800 86400

;; Query time: 4 msec
;; WHEN: Tue Aug 11 14:40:08 UTC 2015
;; MSG SIZE  rcvd: 87

[root@ldap1 ~]#

Any thoughts?


It seems that DNS delegation doesn't work or you asked non IPA DNS server.

Do you have the right server in resolv.conf? (dig sent query to

Do you have reverse zone 10.in-addr.arpa. configured on IPA DNS, does it have proper delegation to 0.63.10.in-addr.arpa zone.

Do you use IPA 3.x or IPA 4.x?
If 3.x there might be issue with forwarding, because the zone 0.63.10.in-addr.arpa works as forward zone and forwards queries to server, that return NXDOMAIN for that zone.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to