Did some testing.
From the windows server, did a port scanner on the IPA server (tcp +
udp), no blocking between. (tested open).
The IPA has DNSSEC on, but that is for the zones only, right? There is
no indication of DNSSEC in the datagrams.
The wireshark in the windows server:
A - The query packet:
-----------------------
Ethernet II, Src: CadmusCo_58:90:cb (08:00:27:58:90:cb), Dst:
fe:81:54:e3:7b:03 (fe:81:54:e3:7b:03)
Internet Protocol Version 4, Src: 10.10.24.12, Dst: 10.10.24.9
User Datagram Protocol, Src Port: 54680, Dst Port: 53
Domain Name System (query)
Transaction ID: 0x0006
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
google.com: type A, class IN
Name: google.com
[Name Length: 10]
[Label Count: 2]
Type: A (Host Address) (1)
Class: IN (0x0001)
B - The response:
-----------------
Frame 10: 222 bytes on wire (1776 bits), 222 bytes captured (1776 bits)
Ethernet II, Src: fe:81:54:e3:7b:03 (fe:81:54:e3:7b:03), Dst:
CadmusCo_58:90:cb (08:00:27:58:90:cb)
Internet Protocol Version 4, Src: 10.10.24.9, Dst: 10.10.24.12
User Datagram Protocol, Src Port: 53, Dst Port: 54680
Domain Name System (response)
[Time: 0.057623000 seconds]
Transaction ID: 0x0006
Flags: 0x8180 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority
for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do
recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 1
Authority RRs: 4
Additional RRs: 4
Queries
google.com: type A, class IN
Name: google.com
[Name Length: 10]
[Label Count: 2]
Type: A (Host Address) (1)
Class: IN (0x0001)
Answers
google.com: type A, class IN, addr 216.58.222.14
Name: google.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 300
Data length: 4
Address: 216.58.222.14
Authoritative nameservers
google.com: type NS, class IN, ns ns4.google.com
Name: google.com
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 172792
Data length: 6
Name Server: ns4.google.com
google.com: type NS, class IN, ns ns1.google.com
Name: google.com
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 172792
Data length: 6
Name Server: ns1.google.com
google.com: type NS, class IN, ns ns3.google.com
Name: google.com
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 172792
Data length: 6
Name Server: ns3.google.com
google.com: type NS, class IN, ns ns2.google.com
Name: google.com
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 172792
Data length: 6
Name Server: ns2.google.com
Additional records
ns2.google.com: type A, class IN, addr 216.239.34.10
Name: ns2.google.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 172792
Data length: 4
Address: 216.239.34.10
ns1.google.com: type A, class IN, addr 216.239.32.10
Name: ns1.google.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 172792
Data length: 4
Address: 216.239.32.10
ns3.google.com: type A, class IN, addr 216.239.36.10
Name: ns3.google.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 172792
Data length: 4
Address: 216.239.36.10
ns4.google.com: type A, class IN, addr 216.239.38.10
Name: ns4.google.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 172792
Data length: 4
Address: 216.239.38.10
-rsd
On 16/01/2017 06:31, Brian Candler wrote:
On 16/01/2017 00:52, Raul Dias wrote:
The packets are getting back That has being stablished already.
With Wireshark at the 2008R2 end?
I am looking for possible reasons it would disregard the answer, but
accept when using a non-freeipa bind9 one.
Look at wireshark detail on both sets of responses; check for any
differences including the flags. You're sure one of the servers isn't
answering with a REFUSED answer for example? (That is, one of the bind
servers might not allow queries from the source address of the 2008R2
server)
Also compare the bind configs. For example, is DNSSEC enabled in one
but not the other?
--
Att. Raul Dias
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
