I still think there is something wrong here.

You say that the DNSSEC reply is "just warning", but when I get that warning, a 
subsequent trust-add fails every time. When I don't get the warning, the 
trust-add works.
Therefore, the warning cannot just be ignored. Why is that?

I have tried the following:

-          Signing the target Active Directory zone – it does not make a 

-          FreeIPA /etc/named.conf – "validation no" makes the warning go away 
ONLY when I use the CLI on a root login.

-          Running the ipa CLI from a salt state or a subprocess of my Java 
webapp ALWAYS gets the warning regardless.

If there really should be a warning, then why don't I see it from the CLI?

And can you help me understand what would be significantly different between an 
interactive login and a "su –l root" in salt?

Thank you for any insight,

From: Dan Dietterich <d...@cazena.com>
Date: Wednesday, April 19, 2017 at 9:24 AM
To: Martin Bašti <mba...@redhat.com>, "freeipa-users@redhat.com" 
Subject: Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled

From: Martin Bašti <mba...@redhat.com>
Date: Wednesday, April 19, 2017 at 9:23 AM
To: Dan Dietterich <d...@cazena.com>, "freeipa-users@redhat.com" 
Subject: Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled

IPA servers always check if DNSSEC is working on forwarders, but it is just 
warning. If you have disabled  dnssec in named.conf then it is okay.

I'm not sure why sometimes you see this warning and sometimes don't, maybe 
inconsistent replies from forwarder.

domain ".internal" should always fail because it is unregistered TLD


On 19.04.2017 15:11, Dan Dietterich wrote:
My configuration is a single ipa server and both the code path and the bash 
prompt path are running on the node that is also running the ipa server. I 
thought that since FreeIPA was installed with --no-dnssec-validation that I 
should never see this warning. And I confirmed that both dnssec-enabled and 
dnssec-validation are set to 'no' in the /etc/named.conf.
So I'm confused that you say the DNSSEC should always fail.

Thanks for your help!

From: Martin Bašti <mba...@redhat.com><mailto:mba...@redhat.com>
Date: Wednesday, April 19, 2017 at 3:59 AM
To: Dan Dietterich <d...@cazena.com><mailto:d...@cazena.com>, 
Subject: Re: [Freeipa-users] DNSSEC warning when DNSSEC should be disabled

On 13.04.2017 22:50, Dan Dietterich wrote:
I am seeing inconsistent results configuring a DNS forward zone.

At a bash prompt, as root, after kinit admin, I do:
ipa dnsforwardzone-add domain.internal  --forwarder= ww.xx.yy.zz 

That works fine and does not warn about DNSSEC.

In a Java webapp running as root under a Jetty, I run a shell sub-process and 
issue the kinit and the same ipa statement.
_Sometimes_, I get
ipa: WARNING: DNSSEC validation failed: record 'domain.internal. SOA' failed 
DNSSEC validation on server ww.xx.yy.zz.
Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA 

I modified the /etc/named.conf file to say:
                dnssec-enable no;
      dnssec-validation no;

and systemctl restart ipa

Any clue why the results are different?

ipa –version: VERSION: 4.4.0, API_VERSION: 2.213
Linux … 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 
x86_64 x86_64 GNU/Linux

Thanks for any insight!



checks are done on IPA server side, how many servers do you have? Is possible 
that CLI connects to different servers.

However in this case, DNSSEC check should always fail and report error, so it 
is weird why it passed.



Martin Bašti

Software Engineer

Red Hat Czech


Martin Bašti

Software Engineer

Red Hat Czech
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to