On 24.02.2016 12:53, Alexandre Borges wrote:
Dear colleagues,
How are you?
I’ve been facing a horrible problem with RHEL 7.2 (and Oracle Linux
7.2) when configuring IPA dnsforwardzone during the Active Directory
integration.
My configuration follows:
IPA Server: 192.168.1.195 (rhel72-1.example.com)
Win2012 (AD): 192.168.1.229 (win2012.example.local) à different domains!!!
Last command executed:
[root@rhel72-1 ~]# *ipa dnszone-find*
Zone name: 1.168.192.in-addr.arpa.
Active zone: TRUE
Authoritative nameserver: rhel72-1.example.com.
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1456310858
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Allow query: any;
Allow transfer: none;
Zone name: example.com.
Active zone: TRUE
Authoritative nameserver: rhel72-1.example.com.
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1456310858
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Allow query: any;
Allow transfer: none;
Allow in-line DNSSEC signing: FALSE
----------------------------
Number of entries returned 2
----------------------------
[root@rhel72-1 ~]# *ipa dnsconfig-show*
Global forwarders: 8.8.8.8, 8.8.4.4
[root@rhel72-1 ~]# *ipa dnsforwardzone-add example.local
--forwarder=192.168.1.229 --forward-policy=only*
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNSSEC validation failed: record 'example.local. SOA'
failed DNSSEC validation on server 192.168.1.195.
Please verify your DNSSEC configuration or disable DNSSEC validation
on all IPA servers.
Zone name: example.local.
Active zone: TRUE
Zone forwarders: 192.168.1.229
Forward policy: only
[root@rhel72-1 ~]# *ipa dnsforwardzone-find*
Zone name: example.local.
Active zone: TRUE
Zone forwarders: 192.168.1.229
Forward policy: only
----------------------------
Number of entries returned 1
----------------------------
*[root@rhel72-1 ~]#* *ping win2012.example.local*
ping: unknown host win2012.example.local
I’ve already rebooted the host, but it hasn’t worked.
The same problem is happening with Oracle Linux 7.2.
Please, could you help me, please?
I hope you have a nice day.
Alexandre Borges.
Hello Alexandre,
because you use .local TLD domain, it will be never DNSSEC valid domain,
please disable DNSSEC validation on all DNS servers, as warning from
dnsforwardzone-add suggested.
/etc/named.conf
set dnssec-validation to no
Martin Basti
<https://www.avast.com/sig-email> This email has been sent from a
virus-free computer protected by Avast.
www.avast.com <https://www.avast.com/sig-email>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
