On 24.2.2016 13:28, Martin Basti wrote: > > > On 24.02.2016 12:53, Alexandre Borges wrote: >> >> Dear colleagues, >> >> How are you? >> >> I’ve been facing a horrible problem with RHEL 7.2 (and Oracle Linux 7.2) >> when configuring IPA dnsforwardzone during the Active Directory integration. >> >> My configuration follows: >> >> IPA Server: 192.168.1.195 (rhel72-1.example.com) >> >> Win2012 (AD): 192.168.1.229 (win2012.example.local) à different domains!!! >> >> Last command executed: >> >> [root@rhel72-1 ~]# *ipa dnszone-find* >> >> Zone name: 1.168.192.in-addr.arpa. >> >> Active zone: TRUE >> >> Authoritative nameserver: rhel72-1.example.com. >> >> Administrator e-mail address: hostmaster.example.com. >> >> SOA serial: 1456310858 >> >> SOA refresh: 3600 >> >> SOA retry: 900 >> >> SOA expire: 1209600 >> >> SOA minimum: 3600 >> >> Allow query: any; >> >> Allow transfer: none; >> >> Zone name: example.com. >> >> Active zone: TRUE >> >> Authoritative nameserver: rhel72-1.example.com. >> >> Administrator e-mail address: hostmaster.example.com. >> >> SOA serial: 1456310858 >> >> SOA refresh: 3600 >> >> SOA retry: 900 >> >> SOA expire: 1209600 >> >> SOA minimum: 3600 >> >> Allow query: any; >> >> Allow transfer: none; >> >> Allow in-line DNSSEC signing: FALSE >> >> ---------------------------- >> >> Number of entries returned 2 >> >> ---------------------------- >> >> [root@rhel72-1 ~]# *ipa dnsconfig-show* >> >> Global forwarders: 8.8.8.8, 8.8.4.4 >> >> [root@rhel72-1 ~]# *ipa dnsforwardzone-add example.local >> --forwarder=192.168.1.229 --forward-policy=only* >> >> Server will check DNS forwarder(s). >> >> This may take some time, please wait ... >> >> ipa: WARNING: DNSSEC validation failed: record 'example.local. SOA' failed >> DNSSEC validation on server 192.168.1.195. >> >> Please verify your DNSSEC configuration or disable DNSSEC validation on all >> IPA servers. >> >> Zone name: example.local. >> >> Active zone: TRUE >> >> Zone forwarders: 192.168.1.229 >> >> Forward policy: only >> >> [root@rhel72-1 ~]# *ipa dnsforwardzone-find* >> >> Zone name: example.local. >> >> Active zone: TRUE >> >> Zone forwarders: 192.168.1.229 >> >> Forward policy: only >> >> ---------------------------- >> >> Number of entries returned 1 >> >> ---------------------------- >> >> *[root@rhel72-1 ~]#* *ping win2012.example.local* >> >> ping: unknown host win2012.example.local >> >> I’ve already rebooted the host, but it hasn’t worked. >> >> The same problem is happening with Oracle Linux 7.2. >> >> Please, could you help me, please? >> >> I hope you have a nice day. >> >> Alexandre Borges. >> > > Hello Alexandre, > > because you use .local TLD domain, it will be never DNSSEC valid domain, > please disable DNSSEC validation on all DNS servers, as warning from > dnsforwardzone-add suggested.
Please note that this is only workaround for inherently broken configuration. It goes directly against "System Prerequisites" stated on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs and https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_DNS_Traffic_with_DNSSEC.html#sec-Recommended_Naming_Practices It should work but you might face various problems later on. This configuration with made-up names is strongly discouraged. FreeIPA upstream has the same recommendations in different words if you wish: http://www.freeipa.org/page/DNS#Caveats I hope this helps. Petr^2 Spacek > > /etc/named.conf > set dnssec-validation to no > > Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project