On 6.7.2016 16:37, lejeczek wrote:
> hi everybody
> 
> I think this was working some time ago, but for while queries IPA's DNS
> forwards wound up like this:
> 
> validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found
> validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit (swir.my.dom/DS)
> error (broken trust chain) resolving 'swir.my.dom/A/IN': 192.168.2.100#53
> 
> dig at IPA DNS and nothing, logs:
> 
>   validating @0x7f85e0134880: my.dom SOA: no valid signature found
>   validating @0x7f85e0134880: my.dom NSEC: no valid signature found
>   validating @0x7f85e0134880: swir.my.dom NSEC: no valid signature found
>   validating @0x7f85e0134880: swir.my.dom NSEC: bad cache hit (swir.my.dom/DS)
> 
> I dig +dnssec directly at the receiving server and result seems normal, no
> errors.
> 
> IPA's dns is not dnsseced, is this the root of the problem? Or what else might
> be?

Obfuscated domain names are making impossible to tell where the problem lies.

Try dnsviz.net or similar tool, enter domain name into it and let it diagnose
the domain for you. If DNSviz claims that the domain is correctly signed (or
not) then the problem is likely in forwarder configuration.

All forwarders used in your DNS chain have to be configured with equivalent of
named.conf option 'dnssec-enable yes;'.

I hope this helps.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to