Re: [Freeipa-users] reverse DNS lookup does not work

Fri, 14 Aug 2015 01:20:58 -0700 


On 08/11/2015 04:47 PM, Nikola Kržalić wrote:

reverse DNS lookup stopped working after I broke some replication
agreements (perhaps unrelated, but worth mentioning). Regular A
records resolve fine.
The records can be seen in LDAP (using ldapsearch with GSSAPI after
kinit -t /etc/named.keytab):

the zone:

# 0.63.10.in-addr.arpa., dns, ipa.example.net
dn: idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net
idnsUpdatePolicy: grant IPA.example.NET krb5-self * PTR; grant IPA.example.NET
   krb5-self * SSHFP;
idnsAllowDynUpdate: TRUE
idnsForwarders: 172.23.1.5
idnsAllowSyncPTR: TRUE
idnsSOAserial: 1439302482
idnsSOArName: hostmaster.ipa.example.net.
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: ldap1.example.lan.
idnsSOAminimum: 3600
objectClass: idnszone
objectClass: top
objectClass: idnsrecord
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOArefresh: 3600
idnsAllowQuery: any;
idnsName: 0.63.10.in-addr.arpa.
idnsSOAmName: ldap1.example.lan.

the entry:
# 68, 0.63.10.in-addr.arpa., dns, ipa.example.net
dn: idnsname=68,idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net
objectClass: top
objectClass: idnsrecord
cNAMERecord: ds02.example.lan.
idnsName: 68

but the reverse dns lookup fails anyway:

[root@ldap1 ~]# dig -x 10.63.0.68

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> -x 10.63.0.68
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59911
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;68.0.63.10.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
10.in-addr.arpa. 86400 IN SOA 10.in-addr.arpa. . 0 28800 7200 604800 86400

;; Query time: 4 msec
;; SERVER: 172.23.1.5#53(172.23.1.5)
;; WHEN: Tue Aug 11 14:40:08 UTC 2015
;; MSG SIZE  rcvd: 87

[root@ldap1 ~]#

Any thoughts?


Hello,

It seems that DNS delegation doesn't work or you asked non IPA DNS server.

Do you have the right server in resolv.conf? (dig sent query to 172.23.1.5)


Do you have reverse zone 10.in-addr.arpa. configured on IPA DNS, does it 
have proper delegation to 0.63.10.in-addr.arpa zone.


Do you use IPA 3.x or IPA 4.x?

If 3.x there might be issue with forwarding, because the zone 
0.63.10.in-addr.arpa works as forward zone and forwards queries to 
server 172.23.1.5, that return NXDOMAIN for that zone.




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to