On 6.10.2015 18:57, nat...@nathanpeters.com wrote:
>> Your expectation #1 is correct, but there can be multiple reasons why it
>> Did you try to set forward policy = only as I advised you in the previous
>> e-mail? Forward policy 'first' does not make sense when split-DNS is
>> because you can end up with mixture of records from different views in one
>> cache, which obviously results in a mess.
> Yes, we ended up having to use the forward only policy to get this
> working. That is unfortunate, because if our forwarding server ever goes
> down or gets rebooted, that essentially disconnects us from being able to
> resolve external internet domain names. It would be nice to have
> recursion as a fallback, but it seems to go into that mode too often to be
> useful in our split DNS situation.
>>> 2. We did some more network packet capture, and noticed that in forward
>>> first mode, the FreeIPA server, always sent out both a forward request
>>> the forwarding server, and an additional simultaneous request to the
>>> name servers (recursive mode). It got back responses to both the
>>> forwarded and recursive queries it had performed. The recursive query
>>> failed due to split DNS and the forwarded query succeeded due to it
>>> to an internal server which had the correct records. Strangely
>>> the IPA server ignored the successful forwarded answer, and sent back
>>> 'failed' answer it had gotten through recursion back to the requesting
>>> client. What is the behavior supposed to be in this situation and why
>>> the server always sending out the recursive request, even when it gets a
>>> valid answer from the forwarded request?
>> This is weird, but again - it can have multiple reasons. Do you see
>> in BIND logs? Does it e.g. complain about DNSSEC validation failures?
>> Petr^2 Spacek
> Yes, we actually were getting DNSSEC validation failures. We had to
> disable DNSSEC to get the forward only policy to work. With DNSSEC turned
> on, forward only would not work because DNSSEC still tried to directly
> contact root servers.
It is very likely that this was caused by some misconfiguration in your DNS
views. Could you share error messages from BIND logs? We could use them to
improve detection logic so we can warn users early instead of tedious debugging.
BTW what version if IPA do you use? We were adding checks to catch common
misconfigurations to version 4.2.
Petr Spacek @ Red Hat
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project