On 30/05/2023 10:43, Alexander Bokovoy wrote:
On Mon, 29 May 2023, lejeczek via FreeIPA-users wrote:
Hi guys.
That is on first master which was happy for short while and then suddenly:
... 29-May-2023 12:38:23.597 info: client @0x7f6484005538 127.0.0.1#43235 (onet.pl): query failed (broken trust chain) for onet.pl/IN/A at ../../../lib/ns/query.c:7355 29-May-2023 12:39:08.518 info: client @0x7f64b0080088 127.0.0.1#48441 (onet.pl): query failed (broken trust chain) for onet.pl/IN/A at ../../../lib/ns/query.c:7355
and that is for any & every query. With given forwards or no forwarders. Time is in sync, network works, everything else seem good too... and the second master/replica does not complain. What might the issue (beside the obvious)?
The obvious part is described in the error message: you have broken DNSSEC trust chain for onet.pl and that causes the issue because you have DNSSEC validation enabled.
Yes, that part is obvious - perhaps I did poor job formulating my question - this is fresh new IPA installation of first master(in container), which master worked for a short while - meanwhile I did add a replica to the domain - and then... this. Like I said - every query every domain DNSSSEC fails that same way ! on that first master, whereas... the second master continues to be a okey. There is nothing else I can think of that happened to that master - one more thing I did was backup on that master - before DNS broke. One conspiracy theory, the only one I can come up with, is - could a broken replication affected newly set up master? -> another domain's one master had 'ipa-healthcheck' reporting some troubles, mentioned the host-name of that new domain first-master-fqdn, which was before a member of already existing domain. I'm going to redeploy from new to see if that conspiracy theory - now when already existing domain is free from 'heathcheck' complains - might bare any substance.