Re: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

2016-07-16 Thread Alexander Bokovoy 

On Fri, 15 Jul 2016, dan.finkelst...@high5games.com wrote:

There was a solution: explicitly disable DNSSEC in /etc/named.conf on
all IPA masters/replicas and restart the named-pkcs11 service. After
that, zone forwarding worked as expected.

If your DNS upstreams don't provide DNSSEC, it is enough to disable
dnssec validation in named.conf.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

2016-07-15 Thread Dan.Finkelstein 
There was a solution: explicitly disable DNSSEC in /etc/named.conf on all IPA 
masters/replicas and restart the named-pkcs11 service. After that, zone 
forwarding worked as expected.

Thanks,
Dan

[cid:image001.jpg@01D1DEA7.77DC3540]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From:  on behalf of Daniel Finkestein 

Date: Friday, July 15, 2016 at 12:10
To: "freeipa-users@redhat.com" 
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

To give this a little more context, I've tried this:

[root@ipa ~]# ipa dnsforwardzone-add example2.com. --forwarder=10.55.10.151 
--forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNSSEC validation failed: record 'example2.com. SOA' failed 
DNSSEC validation on server 10.55.10.31.
Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA 
servers.
  Zone name: example2.com.
  Active zone: TRUE
  Zone forwarders: 10.55.10.151
  Forward policy: only

We don't care about DNSSEC validation on the forwarded zone, but we do on the 
zones that IPA is authoritative for.

Thanks,
Dan

[cid:image002.jpg@01D1DEA7.77DC3540]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From:  on behalf of Daniel Finkestein 

Date: Friday, July 15, 2016 at 11:20
To: "freeipa-users@redhat.com" 
Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

Hi all,
I'm trying to follow the directions (and cautions) from here: 
http://www.freeipa.org/page/V4/Forward_zones, but when I add a new zone 
(example2.com) and a forwarding address and set the zone to forward-only, no 
records are returned for hosts like, say, testhost.example2.com. The NS record 
for the domain is the authoritative nameserver for the example2.com domain 
(which belongs to someone else), so we don't know why it doesn't return records 
whereas direct queries against the remote nameserver work fine.

Any help with the configuration would be appreciated.

Thanks,
Dan

[cid:image003.jpg@01D1DEA7.77DC3540]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or

Re: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

2016-07-15 Thread Dan.Finkelstein 
To give this a little more context, I've tried this:

[root@ipa ~]# ipa dnsforwardzone-add example2.com. --forwarder=10.55.10.151 
--forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNSSEC validation failed: record 'example2.com. SOA' failed 
DNSSEC validation on server 10.55.10.31.
Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA 
servers.
  Zone name: example2.com.
  Active zone: TRUE
  Zone forwarders: 10.55.10.151
  Forward policy: only

We don't care about DNSSEC validation on the forwarded zone, but we do on the 
zones that IPA is authoritative for.

Thanks,
Dan

[cid:image001.jpg@01D1DE91.EE28CAD0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From:  on behalf of Daniel Finkestein 

Date: Friday, July 15, 2016 at 11:20
To: "freeipa-users@redhat.com" 
Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

Hi all,
I'm trying to follow the directions (and cautions) from here: 
http://www.freeipa.org/page/V4/Forward_zones, but when I add a new zone 
(example2.com) and a forwarding address and set the zone to forward-only, no 
records are returned for hosts like, say, testhost.example2.com. The NS record 
for the domain is the authoritative nameserver for the example2.com domain 
(which belongs to someone else), so we don't know why it doesn't return records 
whereas direct queries against the remote nameserver work fine.

Any help with the configuration would be appreciated.

Thanks,
Dan

[cid:image002.jpg@01D1DE91.EE28CAD0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

2016-07-15 Thread Dan.Finkelstein 
Hi all,
I'm trying to follow the directions (and cautions) from here: 
http://www.freeipa.org/page/V4/Forward_zones, but when I add a new zone 
(example2.com) and a forwarding address and set the zone to forward-only, no 
records are returned for hosts like, say, testhost.example2.com. The NS record 
for the domain is the authoritative nameserver for the example2.com domain 
(which belongs to someone else), so we don't know why it doesn't return records 
whereas direct queries against the remote nameserver work fine.

Any help with the configuration would be appreciated.

Thanks,
Dan

[cid:image001.jpg@01D1DE8A.D5326D80]
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project