[Freeipa-users] DNS forwarding configuration randomly breaks and stops working

nathan at nathanpeters.com nathan at nathanpeters.com
Tue Oct 6 16:57:58 UTC 2015 

> Your expectation #1 is correct, but there can be multiple reasons why it
> fails.
>
> Did you try to set forward policy = only as I advised you in the previous
> e-mail? Forward policy 'first' does not make sense when split-DNS is
> involved
> because you can end up with mixture of records from different views in one
> cache, which obviously results in a mess.

Yes, we ended up having to use the forward only policy to get this
working.  That is unfortunate, because if our forwarding server ever goes
down or gets rebooted, that essentially disconnects us from being able to
resolve external internet domain names.  It would be nice to have
recursion as a fallback, but it seems to go into that mode too often to be
useful in our split DNS situation.

>> 2. We did some more network packet capture, and noticed that in forward
>> first mode, the FreeIPA server, always sent out both a forward request
>> to
>> the forwarding server, and an additional simultaneous request to the
>> root
>> name servers (recursive mode).  It got back responses to both the
>> forwarded and recursive queries it had performed.  The recursive query
>> failed due to split DNS and the forwarded query succeeded due to it
>> going
>> to an internal server which had the correct records.  Strangely
>> enough...
>> the IPA server ignored the successful forwarded answer, and sent back
>> the
>> 'failed' answer it had gotten through recursion back to the requesting
>> client.  What is the behavior supposed to be in this situation and why
>> is
>> the server always sending out the recursive request, even when it gets a
>> valid answer from the forwarded request?
>
> This is weird, but again - it can have multiple reasons. Do you see
> something
> in BIND logs? Does it e.g. complain about DNSSEC validation failures?
>
> Petr^2 Spacek
>

Yes, we actually were getting DNSSEC validation failures. We had to
disable DNSSEC to get the forward only policy to work.  With DNSSEC turned
on, forward only would not work because DNSSEC still tried to directly
contact root servers.

More information about the Freeipa-users mailing list