Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1249226
Description of problem: We have tests setting up AD Trust that are failing on some normal DNS Forwarder setups. It should be noted that these are pre-existing AD servers used in multiple tests for different versions of IPA. We try to create a dnsforwardzone for the AD Domain on the IPA server like this and see the error: [root@vm-idm-014 system]# ipa dnsforwardzone-add adtest.qe --forwarder=$AD_IP --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: WARNING: DNS server $IPA_IP: query 'adtest.qe. SOA': All nameservers failed to answer the query adtest.qe. IN SOA: Server $IPA_IP UDP port 53 anwered SERVFAIL. Zone name: adtest.qe. Active zone: TRUE Zone forwarders: $AD_IP Forward policy: only Then in messages I see: Aug 1 02:53:00 vm-idm-014 named-pkcs11[16963]: forward zone 'adtest.qe': loaded Aug 1 02:53:05 vm-idm-014 named-pkcs11[16963]: error (insecurity proof failed) resolving 'adtest.qe/SOA/IN': $AD_IP#53 If I disable dnssec-validation in /etc/named.conf, this does not occur and I can add the forwarder as expected. Version-Release number of selected component (if applicable): ipa-server-4.2.0-3.el7.x86_64 bind-pkcs11-9.9.4-27.el7.x86_64 How reproducible: always at least with this AD DNS server Steps to Reproduce: 1. Install IPA Master 2. Install AD server with DNS 3. ipa dnsforwardzone-add $AD_DOMAIN --forwarder=$AD_IP --forward-policy=only Actual results: Error like above and cannot resolve that domain from IPA server: [root@vm-idm-014 system]# dig +short @$AD_IP $AD_DOMAIN $AD_IP [root@vm-idm-014 system]# dig +short @$IPA_IP $AD_DOMAIN [root@vm-idm-014 system]# Expected results: I originally thought this should work with zones not supporting DNSSEC but, need clarification. If not, we may need a better way to disable DNSSEC Validation. Additional info: [root@vm-idm-014 system]# dig @$AD_IP $AD_DOMAIN SOA|grep flags ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ; EDNS: version: 0, flags:; udp: 4000 [root@vm-idm-014 system]# dig +short @$AD_IP $AD_DOMAIN SOA +edns=0 ad12srv1.adtest.qe. hostmaster.adtest.qe. 2731 900 600 86400 3600 [root@vm-idm-014 system]# dig @$AD_IP $AD_DOMAIN SOA +edns=0|grep flags ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ; EDNS: version: 0, flags:; udp: 4000 From the design page: http://www.freeipa.org/page/V4/DNSSEC_Support#Detection_if_forwarders_are_DNSSE C_capable I guess it looks like the AD server does not support DNSSEC because it fails check 3 for forward zones (at least using dig): check if the record "fwzone IN SOA" @forwarder with EDNS0 has DNSSEC signatures (flags: RD, DO) failed: forwarder does not support DNSSEC Dig results: [root@vm-idm-014 system]# dig @$AD_IP $AD_DOMAIN SOA +edns=0|grep flags ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ; EDNS: version: 0, flags:; udp: 4000 I don't see the expected DO flag on the AD server.
master:
ipa-4-2:
Metadata Update from @jcholast: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.