To give this a little more context, I've tried this:

[root@ipa ~]# ipa dnsforwardzone-add example2.com. --forwarder=10.55.10.151 
--forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNSSEC validation failed: record 'example2.com. SOA' failed 
DNSSEC validation on server 10.55.10.31.
Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA 
servers.
  Zone name: example2.com.
  Active zone: TRUE
  Zone forwarders: 10.55.10.151
  Forward policy: only

We don't care about DNSSEC validation on the forwarded zone, but we do on the 
zones that IPA is authoritative for.

Thanks,
Dan

[cid:image001.jpg@01D1DE91.EE28CAD0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: <freeipa-users-boun...@redhat.com> on behalf of Daniel Finkestein 
<dan.finkelst...@high5games.com>
Date: Friday, July 15, 2016 at 11:20
To: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

Hi all,
I'm trying to follow the directions (and cautions) from here: 
http://www.freeipa.org/page/V4/Forward_zones, but when I add a new zone 
(example2.com) and a forwarding address and set the zone to forward-only, no 
records are returned for hosts like, say, testhost.example2.com. The NS record 
for the domain is the authoritative nameserver for the example2.com domain 
(which belongs to someone else), so we don't know why it doesn't return records 
whereas direct queries against the remote nameserver work fine.

Any help with the configuration would be appreciated.

Thanks,
Dan

[cid:image002.jpg@01D1DE91.EE28CAD0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to