On 21.6.2016 15:03, dan.finkelst...@high5games.com wrote:
> Solution found (or, if not, a workaround):
> IPA replicas must be named in the root domain/zone and not in a subdomain, 
> else DNS fails to serve records in the root domain. Once we changed our 
> configuration to reflect this, DNS returned to normal.

This is most likely a workaround for some sort of misconfiguration, FreeIPA
itself does not require anything like that.

Petr^2 Spacek


> From: <freeipa-users-boun...@redhat.com> on behalf of Daniel Finkestein 
> <dan.finkelst...@high5games.com>
> Date: Tuesday, June 21, 2016 at 07:21
> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the 
> top-level domain/zone
> 
> Hi Petr,
> 
> Top level means the root zone of the various DNS trees we serve. For example, 
> h5g.com would be the root and dev.h5g.com, test.h5g.com, etc., would be the 
> subdomains. Our subdomains query fine, but any hosts in the root domain no 
> longer resolve.
> 
> An example of an unresolvable name is IPA itself: ipa.h5g.com. Here's output 
> from dig:
> 
> root@ipa ~]# dig ipa.h5g.com
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> ipa.h5g.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52405
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ipa.h5g.com.                                      IN            A
> 
> ;; Query time: 0 msec
> ;; SERVER: 10.55.10.31#53(10.55.10.31)
> ;; WHEN: Tue Jun 21 07:15:14 EDT 2016
> ;; MSG SIZE  rcvd: 42
> 
> We expect that its IP address returns from dig, but it doesn't.
> 
> We have 100 zones defined, including forward and reverse zones — all active.
> 
> We do use DNS forwarding, but in a very unsophisticated way: we set up the 
> forwarders to go to Google if our DNS can't resolve a name.
> 
> Thanks and regards,
> Dan
> 
> [cid:image002.jpg@01D1CB9B.D6819140]<http://www.high5games.com/>
> Daniel Alex Finkelstein| Lead Dev Ops Engineer
> dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
> One World Trade Center, New York, NY 10007
> www.high5games.com<http://www.high5games.com/>
> Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
> Sky<https://apps.facebook.com/shakethesky/>
> Follow us on: Facebook<http://www.facebook.com/high5games>, 
> Twitter<https://twitter.com/High5Games>, 
> YouTube<http://www.youtube.com/High5Games>, 
> Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
> 
> This message and any attachments may contain confidential or privileged 
> information and are only for the use of the intended recipient of this 
> message. If you are not the intended recipient, please notify the sender by 
> return email, and delete or destroy this and all copies of this message and 
> all attachments. Any unauthorized disclosure, use, distribution, or 
> reproduction of this message or any attachments is prohibited and may be 
> unlawful.
> 
> From: <freeipa-users-boun...@redhat.com> on behalf of Petr Spacek 
> <pspa...@redhat.com>
> Organization: Red Hat
> Date: Tuesday, June 21, 2016 at 06:04
> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the 
> top-level domain/zone
> 
> On 21.6.2016 11:23, 
> dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com> wrote:
> We've recently set up a "clean" install of FreeIPA replete with replicas, but 
> we just noticed an odd behavior in the DNS service: hosts in the top level 
> domain (like ipa.example.com) do not resolve, whereas hosts in subdomains 
> (like ipa.dev.example.com) do. I'm not sure what to look for in the various 
> log files but I don't see any obvious errors. I thought perhaps this might 
> have some guidance 
> https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and 
> maybe it does, but I'm not sure how to rescue my top-level domain names.
> 
> Hi,
> 
> we can certainly debug this but first of all, please clarify what 'top-level'
> means.
> 
> If you really want help please do not obfuscate any DNS names. It often hides
> real problems while not improving security in any way. (BTW you do not need to
> hide domain names like 'NY5-EXMB1.High5.local' because these already leaked
> through e-mail headers :-)
> 
> So, here are the important questions:
> 0) What name is unresolvable?
> $ dig the.problematic.name.example.
> 
> 1) What is the expected result from "dig"?
> 
> 2) What DNS zones are configured in IPA?
> $ ipa dnszone-find
> 
> 3) Do you use DNS forwarding? (--forwarders option during IPA install or
> commands ipa dnsforwardzone-*, ipa dnsconfig-mod etc.)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to