On 16/01/2017 16:37, Raul Dias wrote:
You can have a DNSSEC-validating resolver (cache), but you're right
you'd see things in the packet (EDNS).
Did some testing.
From the windows server, did a port scanner on the IPA server (tcp +
udp), no blocking between. (tested open).
The IPA has DNSSEC on, but that is for the zones only, right? There is
no indication of DNSSEC in the datagrams.
Looks like a perfectly good DNS response to me. Windows is a strange
The wireshark in the windows server:
Horrible workaround: if you can find a DNS server which Windows likes,
you can configure that DNS server to forward all the IPA-hosted zones to
the IPA server.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project