>>> Looking at the log entries, it appears that there may have been a
>>> connectivity 'blip' (maybe a switch or router was restarted) at some
>>> and even after connectivity was restored, the global forwarding was
>>> failing because the "we can't contact our forwarder" status seemed to
>>> stuck in memory.
> Most likely.
>>> [root@dc1 ~]# ipa dnsconfig-show
>>> Global forwarders: 10.21.0.14
>>> Allow PTR sync: TRUE
> This means that you are using the default forward policy which is 'first'.
> I.e. BIND daemon on the IPA server is trying to use the forwarder first
> when it fails it fallbacks to asking server on the public Internet.
> I speculate that public servers know nothing about the name you were
> for and this negative answer got cached. This is default behavior in BIND
> IPA did not change it.
> Workaround for network problems could be
> $ ipa dnsconfig-mod --forward-policy=only
> which will prevent BIND from falling back to public servers.
> Anyway, you should solve network connectivity problems, too :-)
> I hope this helps.
> Petr^2 Spacek
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Ok, we managed to figure out what was happening here, but I still think
there is a bug somewhere in the FreeIPA DNS components that is
exacerbating the issue.
We have split DNS in our company. We have a public copy of our DNS
records, which contain only A records. We also have an internal copy of
our DNS records, which contains a bunch of CNAME records.
When we use nslookup to query the IPA server for stash.externaldomain.net
NSLOOKUP returns that stash.externaldomain.net is a CNAME and it returns
the associated A address.
When we query FreeIPA though a DNS client, FreeIPA returns that stash is a
cname and does not return the associated A address. It seems like at that
point, FreeIPA decides that instead of sticking in 'forward' mode and
forwarding the request for the CNAME
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project