So for the last week I'm having trouble with my DNS. It is not working as expected and
is giving me all sort of headaches. I have 4 ipa servers and 4 clients. This is test env
for evaluation purposes and I wan't to move to production later on. My problem however
is DNS. I'm on rhel9.1 and my freeipa version is 4.10.0
[lessfoobar@mserver001p ~]$ ipa dns-update-system-records
IPA DNS records:
_kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88
mserver001p.test.domain.com.
_kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88
rserver001p.test.domain.com.
_kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88
rserver002p.test.domain.com.
_kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88
rserver003p.test.domain.com.
_kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88
mserver001p.test.domain.com.
_kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88
rserver001p.test.domain.com.
_kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88
rserver002p.test.domain.com.
_kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88
rserver003p.test.domain.com.
_kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88
mserver001p.test.domain.com.
_kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88
rserver001p.test.domain.com.
_kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88
rserver002p.test.domain.com.
_kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88
rserver003p.test.domain.com.
_kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88
mserver001p.test.domain.com.
_kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88
rserver001p.test.domain.com.
_kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88
rserver002p.test.domain.com.
_kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88
rserver003p.test.domain.com.
_kerberos.test.domain.com. 3600 IN TXT "TEST.DOMAIN.COM"
_kerberos.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:tcp:mserver001p.test.domain.com."
_kerberos.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:tcp:rserver001p.test.domain.com."
_kerberos.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:tcp:rserver002p.test.domain.com."
_kerberos.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:tcp:rserver003p.test.domain.com."
_kerberos.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:udp:mserver001p.test.domain.com."
_kerberos.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:udp:rserver001p.test.domain.com."
_kerberos.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:udp:rserver002p.test.domain.com."
_kerberos.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:udp:rserver003p.test.domain.com."
_kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464
mserver001p.test.domain.com.
_kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464
rserver001p.test.domain.com.
_kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464
rserver002p.test.domain.com.
_kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464
rserver003p.test.domain.com.
_kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464
mserver001p.test.domain.com.
_kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464
rserver001p.test.domain.com.
_kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464
rserver002p.test.domain.com.
_kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464
rserver003p.test.domain.com.
_kpasswd.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:tcp:mserver001p.test.domain.com."
_kpasswd.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:tcp:rserver001p.test.domain.com."
_kpasswd.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:tcp:rserver002p.test.domain.com."
_kpasswd.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:tcp:rserver003p.test.domain.com."
_kpasswd.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:udp:mserver001p.test.domain.com."
_kpasswd.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:udp:rserver001p.test.domain.com."
_kpasswd.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:udp:rserver002p.test.domain.com."
_kpasswd.test.domain.com. 3600 IN URI 0 100
"krb5srv:m:udp:rserver003p.test.domain.com."
_ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389
mserver001p.test.domain.com.
_ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389
rserver001p.test.domain.com.
_ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389
rserver002p.test.domain.com.
_ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389
rserver003p.test.domain.com.
ipa-ca.test.domain.com. 3600 IN A 192.168.0.21
[lessfoobar@mserver001p ~]$ sudo ipa dnsconfig-show
[sudo] password for lessfoobar:
---------------------------------
Global DNS configuration is empty
---------------------------------
IPA DNS servers:
mserver001p.test.domain.com,
rserver001p.test.domain.com,
rserver002p.test.domain.com,
rserver003p.test.domain.com
[lessfoobar@mserver001p ~]$ sudo ipa dns-server-show
ipa: ERROR: unknown command 'dns-server-show'
[lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show
Server name:
mserver001p.test.domain.com
Server name:
mserver001p.test.domain.com
SOA mname override:
mserver001p.test.domain.com.
Forward policy: none
[lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show
rserver001p.test.domain.com
Server name:
rserver001p.test.domain.com
SOA mname override:
rserver001p.test.domain.com.
Forwarders: 192.168.0.21
Forward policy: first
[lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show
rserver003p.test.domain.com
Server name:
rserver003p.test.domain.com
SOA mname override:
rserver003p.test.domain.com.
Forwarders: 192.168.0.21
Forward policy: first
[lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show
rserver002p.test.domain.com
Server name:
rserver002p.test.domain.com
SOA mname override:
rserver002p.test.domain.com.
Forwarders: 192.168.0.21
Forward policy: first
[lessfoobar@mserver001p ~]$ sudo ipa dnsrecord-show
int.domain.com
Record name: rserver001p
Record name: rserver001p
A record: 192.168.0.22
SSHFP record: REDACTED
[lessfoobar@mserver001p ~]$ host 192.168.0.22
Host 22.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
[lessfoobar@mserver001p ~]$ host
rserver001p.test.domain.com
Host
rserver001p.test.domain.com not found: 2(SERVFAIL)
I'd be more than appreciative if someone lets me know what I'm doing wrong.
PS something else that I've noticed is that selinux is complaining because of
ns-slapd
SELinux access control errors
SELinux is preventing /usr/bin/pk12util from getattr access on the sock_file
/run/pcscd/pcscd.comm. 96
SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory
/var/crash. 8
SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory
/sys/fs/fuse/connections. 22
SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory
/sys/kernel/config. 22
SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory
/boot/efi. 22
SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory
/sys/fs/pstore. 22
SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory
/sys/firmware/efi/efivars. 22
SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory
/sys/fs/bpf. 22
SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory
/sys/kernel/tracing. 22
SELinux is preventing /usr/bin/qemu-ga from read access on the directory /var/crash. 18