On 27.1.2016 02:54, Nathan Peters wrote: > I have my FreeIPA server setup with a forward only policy for DNS. > > If I perform an nslookup against either of the configured forward servers, I > can do a reverse lookup properly. > > If I perform the same nslookup against my local server, it will not find the > entry. > > I have confirmed that there are no conflicting zones or reverse zones on my > FreeIPA server. > > Tests below : > > 1. Show forwarding configuration > > 2. Test lookup against localhost of own domain name (prove we can find > records we host as primary) > > 3. Prove we can do forward lookup on the host that we can't reverse lookup > on > > 4. Reverse lookup fails against localhost > > 5. Reverse lookup succeeds against forward server 1 > > 6. Reverse lookup succeeds against forward server 2 > > So... if I am set to always forward, and I don't host this domain (or a > parent of it), and I can lookup the server on my forwarded domains, > > Then... why can't that query get forwarded properly according to my > forwarding settings ? > > 1. =========================== > [root@dc2-ipa-dev-van ~]# ipa dnsconfig-show > Global forwarders: 10.21.0.15, 10.21.0.14 > Forward policy: only > Allow PTR sync: TRUE > 2. =========================== > [root@dc2-ipa-dev-van ~]# nslookup >> dc2-ipa-dev-van.dev-mydomain.net > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Name: dc2-ipa-dev-van.dev-mydomain.net > Address: 10.21.0.98 > 3. =========================== >> officedc2.office.mydomain.net > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Non-authoritative answer: > Name: officedc2.office.mydomain.net > Address: 10.6.60.6 > 4. =========================== >> 10.6.60.6 > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > ** server can't find 6.60.6.10.in-addr.arpa: NXDOMAIN > 5. =========================== >> server 10.21.0.14 > Default server: 10.21.0.14 > Address: 10.21.0.14#53 >> 10.6.60.6 > Server: 10.21.0.14 > Address: 10.21.0.14#53 > > Non-authoritative answer: > 6.60.6.10.in-addr.arpa name = officedc2.office.mydomain.net. > > Authoritative answers can be found from: > 6. =========================== >> server 10.21.0.15 > Default server: 10.21.0.15 > Address: 10.21.0.15#53 >> 10.6.60.6 > Server: 10.21.0.15 > Address: 10.21.0.15#53 > > Non-authoritative answer: > 6.60.6.10.in-addr.arpa name = officedc2.office.mydomain.net. > > Authoritative answers can be found from:
Hello, I suspect that you hit an an deficiency in bind-dyndb-ldap: https://fedorahosted.org/bind-dyndb-ldap/ticket/160 I'm working on a fix but it is not ready yet. Workaround is to add following line to named.conf on all IPA servers: disable-empty-zone "10.in-addr.arpa."; Please confirm that it works for you. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project