, DNS queries return the "SERVFAIL" status rather than
>> "NXDOMAIN", which makes sense to me. They also do not return any authority
>> information. It does not appear that bind returns "NXDOMAIN" with incorrect
>> authority information if
dnskeysyncd, winbind, smb, ntpd,
> ipa-custodia, httpd, kadmin, krb5kdc, pki-tomcatd@pki-tomcat,
> dirsrv@MY-DOMAIN), the DNS server continues to correctly respond to DNS
> queries. This could be because I have a pair of replicated FreeIPA
> instances, and once bind/named starts it knows how to q
queries from being answered - perhaps bind has just cached the
response for the test query I am using. Either way, stopping all of these
services including dirsrv (which I believe is the 389-ds backend process)
does not result in "NXDOMAIN" responses with incorrect authority
information.
Something in the yum upgrade or ipa-server-upgrade process seems to
trigger this different behaviour.
On Tue, Oct 24, 2017 at 1:45 PM Rob Crittenden wrote:
> Nicholas Hinds via FreeIPA-users wrote:
> > During an upgrade from 4.5.0-21.el7.centos.1.2
> > to 4.5.0-21.el7.centos.2.2 on
During an upgrade from 4.5.0-21.el7.centos.1.2 to 4.5.0-21.el7.centos.2.2
on a CentOS 7.4 machine, FreeIPA's DNS server briefly returned NXDOMAIN for
records which existed in FreeIPA. These invalid responses were returned for
a very short amount of time, but caused long-running issues with Java
cli