Re: [Freeipa-users] Lookups Failing With AD Forwarder (and DNSSEC)

Wed, 18 Jan 2017 12:07:31 -0800 

>> I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set 
>> to an
>> Active Directory domain controller.  When a client attempts to lookup any DNS
>> record other than those to which FreeIPA is authoritative the client reports
>> NXDOMAIN and the FreeIPA server has the following in its logs:
>>
>> (first lookup)
>> Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error 
>> (no
>> valid RRSIG) resolving 'zone/DS/IN': 10.48.8.18#53
>> Jan 04 16:05:21 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error 
>> (no
>> valid DS) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN': 10.48.8.18#53
>>
>> (subsequent lookups)
>> Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: 
>> validating
>> @0x7f7a40983ea0: sl1mmgpwtdc0001.tkc.gen.zone A: bad cache hit (zone/DS)
>> Jan 04 16:10:57 sl1mmgplidm0001.ipa.tkc.gen.zone named-pkcs11[1632]: error
>> (broken trust chain) resolving 'sl1mmgpwtdc0001.tkc.gen.zone/A/IN':
>> 10.48.8.18#53
>>
>> In my case, ipa.tkc.gen.zone is served by FreeIPA and tkc.gen.zone is served 
>> by
>> AD (as is gen.zone).  10.48.8.18 is an AD domain controller for tkc.gen.zone
>> (and the forwarder the FreeIPA servers are pointed at).
>>
>> I've tried "rndc flush" and "rndc flushname ." on the FreeIPA boxes.  We've
>> tried both NSEC3 and NSEC.
>>
>> Anyone have guidance as to what may be going on?
>>
>> Thanks,
>>
>> j
>>
> 
> you use non-existent TLD domain or TLD domain doesn't have DS record of
> your zone, so this is expected behavior for DNSSEC considered as attack.
> You have to disable DNSSEC validation on all IPA DNS servers in
> /etc/named.conf in first case or fix incorrect/missing DS record in
> second case.
> 
> The 'zone.' is registered TLD, so if you own it you have probably
> missing DS record in path, thus broken trust chain.
> If you don't own the TLD, you shouldn't use it at all.

Hi Martin,

Thank you for the reply, and sorry for the delay in response.  My employer owns 
the "gen.zone" domain.  It is used internally only, and served by an Active 
Directory domain controller.

It appears, though, that our registrar does not support DNSSEC for .zone 
domains even though the .zone TLD in general does support DNSSEC.

:-\

j




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to