[Freeipa-users] FreeIPA 4.2.0 / CentOS 7.2 / DNS Strangeness (Sub-domains)

Wed Jan 6 07:26:56 UTC 2016

On 6.1.2016 08:25, Petr Spacek wrote:
> On 6.1.2016 06:42, Devin wrote:
>> I am noticing a very strange issue with FreeIPA, I installed FreeIPA on a
>> fresh Virtual Machine called (idm.servers.lnx.ninja) and registered the
>> Kerberos domain as LNX.NINJA. Everything installs just fine without any
>> issues, and even when I log into FreeIPA and go to the DNS Manager i see
>> that it created a few zones as I would have expected (ie: Reverse zone for
>> 10.10.10.x, lnx.ninja zone, and servers.lnx.ninja zone. What I notice is
>> that if I try to do a DNS query for any record on the (lnx.ninja) zone it
>> fails even though there are records there, and if I query any records
>> inside the servers.lnx.ninja zone they work just fine. What I can't
>> understand is why are my DNS queries dying on the (lnx.ninja) zone.
>>
>> So for my test I created 2 (A) records one inside (lnx.ninja) and one
>> inside (servers.lnx.ninja). What would cause any DNS queries to lnx.ninja
>> to not succeed? I have duplicated this issue multiple times with several
>> other VM's using different domains and they have have same issue. Any
>> advise is appreciated!
>>
>> [root at idm ~]# dig @localhost blah.lnx.ninja
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> @localhost blah.lnx.ninja
>> ; (2 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50913
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;blah.lnx.ninja. IN A
>>
>> ;; Query time: 1 msec
>> ;; SERVER: ::1#53(::1)
>> ;; WHEN: Wed Jan 06 05:30:15 UTC 2016
>> ;; MSG SIZE  rcvd: 43
>>
>> [root at idm ~]# dig @localhost blah.servers.lnx.ninja
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.1 <<>> @localhost
>> blah.servers.lnx.ninja
>> ; (2 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64481
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;blah.servers.lnx.ninja. IN A
>>
>> ;; ANSWER SECTION:
>> blah.servers.lnx.ninja. 86400 IN A 10.10.10.1
>>
>> ;; AUTHORITY SECTION:
>> servers.lnx.ninja. 86400 IN NS idm.servers.lnx.ninja.
>>
>> ;; ADDITIONAL SECTION:
>> idm.servers.lnx.ninja. 1200 IN A 10.10.10.10
>>
>> ;; Query time: 0 msec
>> ;; SERVER: ::1#53(::1)
>> ;; WHEN: Wed Jan 06 05:30:32 UTC 2016
>> ;; MSG SIZE  rcvd: 101
> 
> 
> Hello,
> 
> this is strange, but I do not have sufficient information right now.
> 
> Please add following information:
> # list all configured DNS master zones
> $ ipa dnszone-find
> 
> # list all DNS forward zones
> $ ipa dnsforwardzone-find
> 
> # tell us exact RPM versions
> $ rpm -q bind bind-dyndb-ldap ipa-server

Ee, I forgot to ask for logs from named-pkcs11 service:
Please run
$ journalctl -u named-pkcs11
and look for messages related to the zone which has problems.

I'm sorry for the noise :-)

-- 
Petr^2 Spacek