Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone
On 21.6.2016 15:03, dan.finkelst...@high5games.com wrote: > Solution found (or, if not, a workaround): > IPA replicas must be named in the root domain/zone and not in a subdomain, > else DNS fails to serve records in the root domain. Once we changed our > configuration to reflect this, DNS returned to normal. This is most likely a workaround for some sort of misconfiguration, FreeIPA itself does not require anything like that. Petr^2 Spacek > From: <freeipa-users-boun...@redhat.com> on behalf of Daniel Finkestein > <dan.finkelst...@high5games.com> > Date: Tuesday, June 21, 2016 at 07:21 > To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the > top-level domain/zone > > Hi Petr, > > Top level means the root zone of the various DNS trees we serve. For example, > h5g.com would be the root and dev.h5g.com, test.h5g.com, etc., would be the > subdomains. Our subdomains query fine, but any hosts in the root domain no > longer resolve. > > An example of an unresolvable name is IPA itself: ipa.h5g.com. Here's output > from dig: > > root@ipa ~]# dig ipa.h5g.com > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> ipa.h5g.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52405 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;ipa.h5g.com. INA > > ;; Query time: 0 msec > ;; SERVER: 10.55.10.31#53(10.55.10.31) > ;; WHEN: Tue Jun 21 07:15:14 EDT 2016 > ;; MSG SIZE rcvd: 42 > > We expect that its IP address returns from dig, but it doesn't. > > We have 100 zones defined, including forward and reverse zones β all active. > > We do use DNS forwarding, but in a very unsophisticated way: we set up the > forwarders to go to Google if our DNS can't resolve a name. > > Thanks and regards, > Dan > > [cid:image002.jpg@01D1CB9B.D6819140]<http://www.high5games.com/> > Daniel Alex Finkelstein| Lead Dev Ops Engineer > dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447 > One World Trade Center, New York, NY 10007 > www.high5games.com<http://www.high5games.com/> > Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the > Sky<https://apps.facebook.com/shakethesky/> > Follow us on: Facebook<http://www.facebook.com/high5games>, > Twitter<https://twitter.com/High5Games>, > YouTube<http://www.youtube.com/High5Games>, > Linkedin<http://www.linkedin.com/company/1072533?trk=tyah> > > This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender by > return email, and delete or destroy this and all copies of this message and > all attachments. Any unauthorized disclosure, use, distribution, or > reproduction of this message or any attachments is prohibited and may be > unlawful. > > From: <freeipa-users-boun...@redhat.com> on behalf of Petr Spacek > <pspa...@redhat.com> > Organization: Red Hat > Date: Tuesday, June 21, 2016 at 06:04 > To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the > top-level domain/zone > > On 21.6.2016 11:23, > dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com> wrote: > We've recently set up a "clean" install of FreeIPA replete with replicas, but > we just noticed an odd behavior in the DNS service: hosts in the top level > domain (like ipa.example.com) do not resolve, whereas hosts in subdomains > (like ipa.dev.example.com) do. I'm not sure what to look for in the various > log files but I don't see any obvious errors. I thought perhaps this might > have some guidance > https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and > maybe it does, but I'm not sure how to rescue my top-level domain names. > > Hi, > > we can certainly debug this but first of all, please clarify what 'top-level' > means. > > If you really want help please do not obfuscate any DNS names. It often hides > real problems while not improving security in any way. (BTW you do not need to > hide domain names like 'NY5-EXMB1.High5.local' because these already leaked > through e-mail headers :-) > > So, here are the important questions: > 0
Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone
Solution found (or, if not, a workaround): IPA replicas must be named in the root domain/zone and not in a subdomain, else DNS fails to serve records in the root domain. Once we changed our configuration to reflect this, DNS returned to normal. βDan [cid:image001.jpg@01D1CB9B.D6819140]<http://www.high5games.com/> Daniel Alex Finkelstein| Lead Dev Ops Engineer dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com<http://www.high5games.com/> Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/> Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah> This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: <freeipa-users-boun...@redhat.com> on behalf of Daniel Finkestein <dan.finkelst...@high5games.com> Date: Tuesday, June 21, 2016 at 07:21 To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone Hi Petr, Top level means the root zone of the various DNS trees we serve. For example, h5g.com would be the root and dev.h5g.com, test.h5g.com, etc., would be the subdomains. Our subdomains query fine, but any hosts in the root domain no longer resolve. An example of an unresolvable name is IPA itself: ipa.h5g.com. Here's output from dig: root@ipa ~]# dig ipa.h5g.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> ipa.h5g.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52405 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa.h5g.com. INA ;; Query time: 0 msec ;; SERVER: 10.55.10.31#53(10.55.10.31) ;; WHEN: Tue Jun 21 07:15:14 EDT 2016 ;; MSG SIZE rcvd: 42 We expect that its IP address returns from dig, but it doesn't. We have 100 zones defined, including forward and reverse zones β all active. We do use DNS forwarding, but in a very unsophisticated way: we set up the forwarders to go to Google if our DNS can't resolve a name. Thanks and regards, Dan [cid:image002.jpg@01D1CB9B.D6819140]<http://www.high5games.com/> Daniel Alex Finkelstein| Lead Dev Ops Engineer dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com<http://www.high5games.com/> Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/> Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah> This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: <freeipa-users-boun...@redhat.com> on behalf of Petr Spacek <pspa...@redhat.com> Organization: Red Hat Date: Tuesday, June 21, 2016 at 06:04 To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone On 21.6.2016 11:23, dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com> wrote: We've recently set up a "clean" install of FreeIPA replete with replicas, but we just noticed an odd behavior in the DNS service: hosts in the top level domain (like ipa.example.com) do not resolve, whereas hosts in subdomains (like ipa.dev.example.com) do. I'm not sure what to look for in the various log files but I don't see any obvious errors. I thought perhaps this might have some guidance https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and maybe it does, but I'm not sure how to
Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone
Hi Petr, Top level means the root zone of the various DNS trees we serve. For example, h5g.com would be the root and dev.h5g.com, test.h5g.com, etc., would be the subdomains. Our subdomains query fine, but any hosts in the root domain no longer resolve. An example of an unresolvable name is IPA itself: ipa.h5g.com. Here's output from dig: root@ipa ~]# dig ipa.h5g.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> ipa.h5g.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52405 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa.h5g.com. INA ;; Query time: 0 msec ;; SERVER: 10.55.10.31#53(10.55.10.31) ;; WHEN: Tue Jun 21 07:15:14 EDT 2016 ;; MSG SIZE rcvd: 42 We expect that its IP address returns from dig, but it doesn't. We have 100 zones defined, including forward and reverse zones β all active. We do use DNS forwarding, but in a very unsophisticated way: we set up the forwarders to go to Google if our DNS can't resolve a name. Thanks and regards, Dan [cid:image001.jpg@01D1CB8D.8C7ACB60]<http://www.high5games.com/> Daniel Alex Finkelstein| Lead Dev Ops Engineer dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com<http://www.high5games.com/> Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/> Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah> This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: <freeipa-users-boun...@redhat.com> on behalf of Petr Spacek <pspa...@redhat.com> Organization: Red Hat Date: Tuesday, June 21, 2016 at 06:04 To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone On 21.6.2016 11:23, dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com> wrote: We've recently set up a "clean" install of FreeIPA replete with replicas, but we just noticed an odd behavior in the DNS service: hosts in the top level domain (like ipa.example.com) do not resolve, whereas hosts in subdomains (like ipa.dev.example.com) do. I'm not sure what to look for in the various log files but I don't see any obvious errors. I thought perhaps this might have some guidance https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and maybe it does, but I'm not sure how to rescue my top-level domain names. Hi, we can certainly debug this but first of all, please clarify what 'top-level' means. If you really want help please do not obfuscate any DNS names. It often hides real problems while not improving security in any way. (BTW you do not need to hide domain names like 'NY5-EXMB1.High5.local' because these already leaked through e-mail headers :-) So, here are the important questions: 0) What name is unresolvable? $ dig the.problematic.name.example. 1) What is the expected result from "dig"? 2) What DNS zones are configured in IPA? $ ipa dnszone-find 3) Do you use DNS forwarding? (--forwarders option during IPA install or commands ipa dnsforwardzone-*, ipa dnsconfig-mod etc.) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone
On 21.6.2016 11:23, dan.finkelst...@high5games.com wrote: > We've recently set up a "clean" install of FreeIPA replete with replicas, but > we just noticed an odd behavior in the DNS service: hosts in the top level > domain (like ipa.example.com) do not resolve, whereas hosts in subdomains > (like ipa.dev.example.com) do. I'm not sure what to look for in the various > log files but I don't see any obvious errors. I thought perhaps this might > have some guidance > https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and > maybe it does, but I'm not sure how to rescue my top-level domain names. Hi, we can certainly debug this but first of all, please clarify what 'top-level' means. If you really want help please do not obfuscate any DNS names. It often hides real problems while not improving security in any way. (BTW you do not need to hide domain names like 'NY5-EXMB1.High5.local' because these already leaked through e-mail headers :-) So, here are the important questions: 0) What name is unresolvable? $ dig the.problematic.name.example. 1) What is the expected result from "dig"? 2) What DNS zones are configured in IPA? $ ipa dnszone-find 3) Do you use DNS forwarding? (--forwarders option during IPA install or commands ipa dnsforwardzone-*, ipa dnsconfig-mod etc.) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
