Re: [Freeipa-users] FW: named and IpA
Hello, let me summarize the environment so we can be sure that I understood it correctly: - there are (at least) two non-IPA DNS servers 16.112.240.27 and 16.112.240.40 - non-IPA servers are authoritative for DNS zone osn.cxo.cpqcorp.net - IPA server is *also* configured to be authoritative for DNS zone osn.cxo.cpqcorp.net (as shown by ipa dnszone-find command). I hope that this summary is correct, please let me know if it doesn't. This configuration cannot reliably work because there is a clash between sets of authoritative servers. IPA server claim authority over domain osn.cxo.cpqcorp.net (set 1) and at the same time non-IPA servers (set 2) deem themselves to be authoritative for domain osn.cxo.cpqcorp.net. Unfortunately IPA installer is not clever enough to detect this situation and warn you at the right time. We have a ticket for adding this check to new versions of IPA. https://fedorahosted.org/freeipa/ticket/3681 The solution is to decide which set of servers (IPA or non-IPA) should be really authoritative and change configuration appropriately. If you want to use non-IPA servers as authoritative: - Install IPA *without* DNS component - Add required DNS records generated by IPA installed to non-IPA servers. If you want to use IPA server as authoritative: - Install IPA with DNS component - Remove DNS zones from non-IPA servers or change configuration so non-IPA servers are *slaves* of IPA - Change NS records in parent zone (presumably cxo.cpqcorp.net) so they point to IPA. Don't hesitate to ask if you have further questions. Petr^2 Spacek On 3.10.2014 17:13, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Friday, October 03, 2014 1:26 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We have IdM running on a RHEL V7 system and have configured a local DNS server in our test lab. We have loaded the various SRV and TXT records needed by the IdM server. PROBLEM: >From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. Am I correct in assuming that while IdM is up and running, the only other systems it will communicate with at least with regard to name services is another host also running IdM defined either as a server or a client ? If this is case, is there anyone to better integrate some of these common services such as named into an existing network such that you are not limited by the IdM components ? I would like to get additional information about your environment: - Is the IPA server is installed with DNS or not? Did you use option --setup-dns during ipa-server-install? I have tried it both ways, but the most current in which we see this behavior I ran ipa-server-install with no arguments and said yes to the question about installing DNS. I then replied with two valid forwarders. In a previous installation, we added two of our local zones from one of the other dns server and then added the sample zone provided by the installation which contained the various SRV and TXT records. But for current reporting of this problem, we did not add/load the other zone files. - Which DNS zones do you have defined on IPA server? You can use command "ipa dnszone-find" to list all zones. [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... [root@linux named]# ipa dnszone-find Zone name: 240.112.16.in-addr.arpa. Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: osn.cxo.cpqcorp.net Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Number of entries returned 2 - Is there any other DNS servers serving same DNS zones? Yeswe left the other two existing DNS servers in place as they are our primary name servers for this lab segment. Those are the two systems we have entered as forwarders. - Did you
Re: [Freeipa-users] FW: named and IpA
On 10/03/2014 11:13 AM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Friday, October 03, 2014 1:26 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We have IdM running on a RHEL V7 system and have configured a local DNS server in our test lab. We have loaded the various SRV and TXT records needed by the IdM server. PROBLEM: >From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. Am I correct in assuming that while IdM is up and running, the only other systems it will communicate with at least with regard to name services is another host also running IdM defined either as a server or a client ? If this is case, is there anyone to better integrate some of these common services such as named into an existing network such that you are not limited by the IdM components ? I would like to get additional information about your environment: - Is the IPA server is installed with DNS or not? Did you use option --setup-dns during ipa-server-install? I have tried it both ways, but the most current in which we see this behavior I ran ipa-server-install with no arguments and said yes to the question about installing DNS. I then replied with two valid forwarders. In a previous installation, we added two of our local zones from one of the other dns server and then added the sample zone provided by the installation which contained the various SRV and TXT records. But for current reporting of this problem, we did not add/load the other zone files. - Which DNS zones do you have defined on IPA server? You can use command "ipa dnszone-find" to list all zones. [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... [root@linux named]# ipa dnszone-find Zone name: 240.112.16.in-addr.arpa. Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: osn.cxo.cpqcorp.net Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Number of entries returned 2 - Is there any other DNS servers serving same DNS zones? Yeswe left the other two existing DNS servers in place as they are our primary name servers for this lab segment. Those are the two systems we have entered as forwarders. - Did you configure forwarders in /etc/named.conf or via ipa command line tools (ipa dnsconfig-mod or --forwarder option during ipa-server-install)? The forwarders were placed in the /etc/named.conf file by the ipa-server-install script or one of its subordinate scripts I did try entering the forward policy and forwarders using ipa dnsconfig-mod but they didn't seem to change the behavior. One thing I did notice was that ipa dnsconfig-mod --forwarder= only allowed one forwarder to be entered.adding a second entry on the line resulted in an error.If entered with a second --forwarders command, the previous forwarder was replaced by the new one. So if there is a particular syntax that would allow more than one entry, can you please post same ? - Please attach result of DNS lookups using "dig" command: One output when it doesn't work (i.e. with IPA running) and the other when it works as you expect (i.e. after "ipactl stop" and "service named restart"). with ipa running: [root@linux named]# nslookup dl160a.osn.cxo.cpqcorp.net Server: 16.112.240.59 Address:16.112.240.59#53 ** server can't find dl160a.osn.cxo.cpqcorp.net: NXDOMAIN [root@linux named]# dig dl160a.osn.cxo.cpqcorp.net ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6571 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dl160a.osn.cxo.cpqcorp
[Freeipa-users] FW: named and IpA
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Friday, October 03, 2014 1:26 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: > We have IdM running on a RHEL V7 system and have configured a local > DNS server in our test lab. > > We have loaded the various SRV and TXT records needed by the IdM server. > > > PROBLEM: > >>From the IdM server we can only lookup local records. The name >>resolver will not > attempt to look to another other name servers or domains defined in > /etc/resolv.conf > > If I shutdown IdM using ipactl stop and then restart named, the name > resolver works for local and remote hosts, addresses and domains as > well as serving up the SRV records defined on the local host. > > Am I correct in assuming that while IdM is up and running, the only > other systems it will communicate with at least with regard to name > services is another host also running IdM defined either as a server or a > client ? > > If this is case, is there anyone to better integrate some of these > common services such as named into an existing network such that you are not > limited by the IdM components ? I would like to get additional information about your environment: - Is the IPA server is installed with DNS or not? Did you use option --setup-dns during ipa-server-install? >> I have tried it both ways, but the most current in which we see this >> behavior I ran ipa-server-install with >> no arguments and said yes to the question about installing DNS. I then >> replied with two valid forwarders. >> In a previous installation, we added two of our local zones from one of >> the other dns server >> and then added the sample zone provided by the installation which >> contained the various SRV and TXT >> records. But for current reporting of this problem, we did not >> add/load the other zone files. - Which DNS zones do you have defined on IPA server? You can use command "ipa dnszone-find" to list all zones. [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... [root@linux named]# ipa dnszone-find Zone name: 240.112.16.in-addr.arpa. Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: osn.cxo.cpqcorp.net Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Number of entries returned 2 - Is there any other DNS servers serving same DNS zones? >> Yeswe left the other two existing DNS servers in place as they are our >> primary name servers for this lab segment. >> Those are the two systems we have entered as forwarders. - Did you configure forwarders in /etc/named.conf or via ipa command line tools (ipa dnsconfig-mod or --forwarder option during ipa-server-install)? >> The forwarders were placed in the /etc/named.conf file by the >> ipa-server-install script or one of its subordinate scripts >> I did try entering the forward policy and forwarders using ipa >> dnsconfig-mod but they didn't seem to change the behavior. >> One thing I did notice was that ipa dnsconfig-mod --forwarder= only >> allowed one forwarder to be entered.adding >> a second entry on the line resulted in an error.If entered with a >> second --forwarders command, the previous forwarder >> was replaced by the new one. So if there is a particular syntax that >> would allow more than one entry, can you please >> post same ? - Please attach result of DNS lookups using "dig" command: One output when it doesn't work (i.e. with IPA running) and the other when it works as you expect (i.e. after "ipactl stop" and "service named restart"). >> with ipa running: [root@linux named]# nslookup dl160a.osn.cxo.cpqcorp.net Server: 16.112.240.59 Address:16.112.240.59#53 ** server can't find dl160a.osn.cxo.cpqcorp.net: NXDOMAIN [root@linux named]# dig dl160a.osn.cxo.cpqcorp.net ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6571 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dl160a.osn.cxo.cpqcorp.ne
Re: [Freeipa-users] FW: named and IpA
On 10/03/2014 08:32 AM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: -Original Message- From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Friday, October 03, 2014 7:11 AM To: 'Jan Pazdziora' Subject: RE: [Freeipa-users] named and IpA Jan, Just for kicks, I tried to use the ipa dnsconfig-mod command to add information about the local name server. I was able to set the forwarding policy but I was only able to set a single forwarder. If I issued a second forwarder, the previous entry was replaced by the new one and only one forwarder shows as active: [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.40 Forward policy: first [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27 Global forwarders: 16.112.240.27 Forward policy: first [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.27 Forward policy: first If I attempt to place more than one forwarder in the arguments, I get an error: [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... You cannot use an unescaped semicolon $ man bash ... DEFINITIONS ... metacharacter A character that, when unquoted, separates words. One of the following: | & ; ( ) < > space tab The Fedora documentation only gives examples for adding a single forwarder.so this seems to be a shortcoming in the current implementation. However, having performed these steps, it still did not allow the local name server to look at anything past the local database or use the designated forwarders. Al -Original Message- From: Jan Pazdziora [mailto:jpazdzi...@redhat.com] Sent: Thursday, October 02, 2014 11:23 PM To: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On Thu, Oct 02, 2014 at 05:05:10PM +, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: >From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf What exactly is in your /etc/resolv.conf? Just the IP address of the IPA server (localhost), or some other records? If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. So if all IdM services are running, you do not seem to have named observing forwarders settings but if you only run named on the IdM machine and nothing else, it starts to observe them? Can you show dig output for one of the problematic records to see which DNS server is answering the query? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: named and IpA
Dmitri, Thanks for the input, but I tend to think the problem is further down within IM.If it were a pure name misconfiguration why would it work when IM is shut down and named restarted, with no change to the dns records ? I'll keep monitoring this discussion for further input. Al From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, October 02, 2014 5:24 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On 10/02/2014 01:05 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: [cid:part1.05000104.02080200@redhat.com] We have IdM running on a RHEL V7 system and have configured a local DNS server in our test lab. We have loaded the various SRV and TXT records needed by the IdM server. PROBLEM: >From the IdM server we can only lookup local records. The name resolver will >not attempt to look to another other name servers or domains defined in /etc/resolv.conf If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. Am I correct in assuming that while IdM is up and running, the only other systems it will communicate with at least with regard to name services is another host also running IdM defined either as a server or a client ? If this is case, is there anyone to better integrate some of these common services such as named into an existing network such that you are not limited by the IdM components ? Al Licause If DNS is running on IdM the DNS lookups might be forwarded to different DNS servers depending on your DNS cofiguration. Based on what you describe it seems that there is some sort of DNS misconfiguration. I would leave to gurus to help you with that. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: named and IpA
-Original Message- From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Friday, October 03, 2014 6:31 AM To: 'Jan Pazdziora' Subject: RE: [Freeipa-users] named and IpA Jan, After submitting this request and since these are crash and burn lab systems, I reran the ipa-server-install --uninstall and ran the installation script again this time without allowing a local dns server to be created.Once we got all of our zone files corrected the system was able to resolve names and addresses but I have rerun the configurator again today so I can try to answer your questions. Just after running the configurator and setting up a new IdM server, the resolve.conf contains the following: search osn.cxo.cpqcorp.net nameserver 16.112.240.59 This is the domain in which this server resides and this is the servers ip address. By default, the /etc/named.conf file that is created only loads the root servers zone and the dynamic-db "ipa" data. It also contains the following forwarder information which includes the two forwarders as requested in the installation script. forward first; forwarders { 16.112.240.27; 16.112.240.40; }; These forwarders are the two primary dns servers in the domain. Given that information, the only host that can be resolved at the moment is the local servers name which is linux: [root@linux named]# nslookup linux Server: 16.112.240.59 Address:16.112.240.59#53 Name: linux.osn.cxo.cpqcorp.net Address: 16.112.240.59 [root@linux named]# [root@linux named]# [root@linux named]# [root@linux named]# nslookup denali Server: 16.112.240.59 Address:16.112.240.59#53 ** server can't find denali: NXDOMAIN [root@linux named]# nslookup denali.osn.cxo.cpqcorp.net Server: 16.112.240.59 Address:16.112.240.59#53 ** server can't find denali.osn.cxo.cpqcorp.net: NXDOMAIN [root@linux named]# nslookup 16.112.240.27 Server: 16.112.240.59 Address:16.112.240.59#53 ** server can't find 27.240.112.16.in-addr.arpa.: NXDOMAIN [root@linux named]# nslookup www.pbs.org Server: 16.112.240.59 Address:16.112.240.59#53 Non-authoritative answer: www.pbs.org canonical name = r53-vip.pbs.org. Name: r53-vip.pbs.org Address: 54.160.180.54 As you can see from above, only the local host was successfully resolved using nslookup. Attempts to look up any other host within our own address space fails. We can lookup hosts and addresses that are in the public space from the hints zone in the named.conf file. # dig denali ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> denali ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30298 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;denali.IN A ;; AUTHORITY SECTION: . 10564 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014100300 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03 09:23:13 EDT 2014 ;; MSG SIZE rcvd: 110 As you can see from the dig command, the request is not going past the local host. But now if I stop ipa and then restart named on this host, the forwarders appear to work just fine: [root@linux named]# ipactl stop Stopping Directory Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping httpd Service Stopping ipa_memcached Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service ipa: INFO: The ipactl command was successful [root@linux named]# [root@linux named]# [root@linux named]# systemctl start named [root@linux named]# [root@linux named]# [root@linux named]# systemctl status named.service named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled) Active: active (running) since Fri 2014-10-03 09:24:26 EDT; 8s ago Process: 7801 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 7820 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 7818 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS) Main PID: 7823 (named) CGroup: /system.slice/named.service ΓΆΓΆ7823 /usr/sbin/named -u named Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: managed-keys-zone:... Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 0.in-addr.arp... Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 1.0.0.127.in-... Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 1.0.0.0.0.0.0... Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone localhost/IN:... Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net
[Freeipa-users] FW: named and IpA
-Original Message- From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Friday, October 03, 2014 7:11 AM To: 'Jan Pazdziora' Subject: RE: [Freeipa-users] named and IpA Jan, Just for kicks, I tried to use the ipa dnsconfig-mod command to add information about the local name server. I was able to set the forwarding policy but I was only able to set a single forwarder. If I issued a second forwarder, the previous entry was replaced by the new one and only one forwarder shows as active: [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.40 Forward policy: first [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27 Global forwarders: 16.112.240.27 Forward policy: first [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.27 Forward policy: first If I attempt to place more than one forwarder in the arguments, I get an error: [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... The Fedora documentation only gives examples for adding a single forwarder.so this seems to be a shortcoming in the current implementation. However, having performed these steps, it still did not allow the local name server to look at anything past the local database or use the designated forwarders. Al -Original Message- From: Jan Pazdziora [mailto:jpazdzi...@redhat.com] Sent: Thursday, October 02, 2014 11:23 PM To: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On Thu, Oct 02, 2014 at 05:05:10PM +, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: > > >From the IdM server we can only lookup local records. The name > >resolver will not > attempt to look to another other name servers or domains defined in > /etc/resolv.conf What exactly is in your /etc/resolv.conf? Just the IP address of the IPA server (localhost), or some other records? > If I shutdown IdM using ipactl stop and then restart named, the name > resolver works for local and remote hosts, addresses and domains as > well as serving up the SRV records defined on the local host. So if all IdM services are running, you do not seem to have named observing forwarders settings but if you only run named on the IdM machine and nothing else, it starts to observe them? Can you show dig output for one of the problematic records to see which DNS server is answering the query? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project