Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1354441
Description of problem: named-pkcs11[16354]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type Version-Release number of selected component (if applicable): ipa-server-dns-4.4.0-1.el7.noarch ipa-server-4.4.0-1.el7.x86_64 How reproducible:Always Steps to Reproduce: 1. Install IPA server 2. Add forwardzone for parent domain ipa dnsforwardzone-add pne.qe --forwarder=IP-address --forward-policy=only 3. Add forwardzone for child domain ipa dnsforwardzone-add chd.pne.qe --forwarder=IP-address --forward-policy=only 4. Check message displayed on the console. Actual results: [root@server samba]# ipa dnsforwardzone-add chd.pne.qe --forwarder=10.65.210.99 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS check for domain chd.pne.qe. failed: All nameservers failed to answer the query chd.pne.qe. IN SOA: Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL. [root@server samba]# systemctl status named-pkcs11.service -l ? named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2016-07-11 12:38:30 IST; 2h 28min ago Main PID: 16354 (named-pkcs11) CGroup: /system.slice/named-pkcs11.service ??16354 /usr/sbin/named-pkcs11 -u named Jul 11 12:42:36 server.testrelm.test named-pkcs11[16354]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type Jul 11 12:42:36 server.testrelm.test named-pkcs11[16354]: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type Expected results: This should be working exactly as in RHEL7.2 i.e the forwardzone policy should get added with the ip-address for the child/tree domains and be listed in ipa dnsforwardzone-find command for the parent domain which is not been done right now. Additional info:
Interestingly, I'm unable to reproduce this on clean install. If you happen to find a reliable reproducer please reopen the bug. Thank you!
Okay, I was able to reproduce this problem using two independent IPA DNS servers:
Assume that example.com. is existing DNS domain hosted on server "srv1": srv1$ ipa dnsforwardzone-add f.example.com. --forwarder=192.0.2.1 srv1$ ipa dnsrecord-add example.com. f --ns-rec=$(hostname).
Forwarding to IP address 192.0.2.1 will always fail so any query for the sub-domain f.example.com. will always return an error (SERVFAIL or a timeout).
Now we can try to add the same sub-domain as forward zone to second machine, "srv2". For this to work, the srv2 machine needs to see proper DNS delegation of example.com. domain to machine srv1. As a quick hack we can point global forwarder on srv2 to srv1. srv2$ ipa dnsforwardzone-add f.example.com. --forwarder=192.0.2.123
This will error out: DNS check for domain f.dom-058-218.abc.idm.lab.eng.brq.redhat.com. failed: All nameservers failed to answer the query f.example.com. IN SOA: Server 127.0.0.1 UDP port 53 anwered SERVFAIL.
master:
Metadata Update from @pvoborni: - Issue assigned to pspacek - Issue set to the milestone: FreeIPA 4.4.1
Login to comment on this ticket.