On Fri, 15 Jul 2016, dan.finkelst...@high5games.com wrote:
There was a solution: explicitly disable DNSSEC in /etc/named.conf on
all IPA masters/replicas and restart the named-pkcs11 service. After
that, zone forwarding worked as expected.
If your DNS upstreams don't provide DNSSEC, it is enough to disable
dnssec validation in named.conf.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project