On 04.01.2017 23:40, Jason B. Nance wrote:
Hello everyone,

I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set to 
an Active Directory domain controller.  When a client attempts to lookup any 
DNS record other than those to which FreeIPA is authoritative the client 
reports NXDOMAIN and the FreeIPA server has the following in its logs:

(first lookup)
Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no 
valid RRSIG) resolving 'zone/DS/IN': 10.48.8.18#53
Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error (no 
valid DS) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 10.48.8.18#53

(subsequent lookups)
Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: validating 
@0x7f7a40983ea0: sl1mmgpwtdc0001.tkc.gen.zone A: bad cache hit (zone/DS)
Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error 
(broken trust chain) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 
10.48.8.18#53

In my case, ipa.tkc.gen.zone is served by FreeIPA and tkc.gen.zone is served by 
AD (as is gen.zone).  10.48.8.18 is an AD domain controller for tkc.gen.zone 
(and the forwarder the FreeIPA servers are pointed at).

I've tried "rndc flush" and "rndc flushname ." on the FreeIPA boxes.  We've 
tried both NSEC3 and NSEC.

Anyone have guidance as to what may be going on?

Thanks,

j


Hello,

you use non-existent TLD domain or TLD domain doesn't have DS record of your zone, so this is expected behavior for DNSSEC considered as attack. You have to disable DNSSEC validation on all IPA DNS servers in /etc/named.conf in first case or fix incorrect/missing DS record in second case.

The 'zone.' is registered TLD, so if you own it you have probably missing DS record in path, thus broken trust chain.
If you don't own the TLD, you shouldn't use it at all.

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to