On Fri, 15 Jul 2016, dan.finkelst...@high5games.com wrote:
There was a solution: explicitly disable DNSSEC in /etc/named.conf on all IPA masters/replicas and restart the named-pkcs11 service. After that, zone forwarding worked as expected.
If your DNS upstreams don't provide DNSSEC, it is enough to disable dnssec validation in named.conf.
-- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project