Hi Florence,
From what I can see it is setup correctly on both the master(s) and replica.
I got the following during `ipa-replica-install`: ``` Search DNS server se-rhidm01x.se.example.com (['10.0.13.139', '10.0.13.139', '10.0.13.139']) for se-rhidm03x.se.example.com Could not resolve hostname se-rhidm03x.se.example.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: ```
Which I solved by enabling rescursion in the named config on the masters. `ipa-replica-install` now outputs this instead: ``` ... raw: domainlevel_get(version='2.251') domainlevel_get(version='2.251') raw: hostgroup_find(None, cn='ipaservers', version='2.251', host=['usidc1-rhidm01x.idc1.us.example.com']) hostgroup_find(None, cn='ipaservers', all=False, raw=False, version='2.251', no_members=True, pkey_only=False, host=('usidc1-rhidm01x.idc1.us.example.com',)) Lookup failed: Preferred host usidc1-rhidm01x.idc1.us.example.com does not provide DNS. Check forward/reverse DNS resolution Search DNS server se-rhidm04x.se.example.com (['10.0.11.190', '10.0.11.190', '10.0.11.190']) for se-rhidm03x.se.example.com Check reverse address 10.0.13.146 (se-rhidm03x.se.example.com) Address 10.0.13.146 resolves to: se-rhidm03x.se.example.com.. Search DNS server se-rhidm04x.se.example.com (['10.0.11.190', '10.0.11.190', '10.0.11.190']) for usidc1-rhidm01x.idc1.us.example.com Check reverse address 192.168.224.21 (usidc1-rhidm01x.idc1.us.example.com) Address 192.168.224.21 resolves to: usidc1-rhidm01x.idc1.us.example.com.. Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' raw: dns_is_enabled(version='2.251') dns_is_enabled(version='2.251') Name usidc1-rhidm01x.idc1.us.example.com resolved to {UnsafeIPAddress('192.168.224.21')} Searching for an interface of IP address: 192.168.224.21 Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo) Testing local IP address: 192.168.224.21/255.255.255.128 (interface: eth0) IP address 192.168.224.21 belongs to a private range, using forward policy only Checking DNS forwarders, please wait ... Checking DNS server: 10.0.2.200 DNS server 10.0.2.200 does not support DNSSEC: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support.
DNS server 10.0.2.200: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. Checking DNS server: 10.0.2.201 DNS server 10.0.2.201 does not support DNSSEC: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support.
DNS server 10.0.2.201: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. Checking DNS server: 10.0.2.202 DNS server 10.0.2.202 does not support DNSSEC: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support.
DNS server 10.0.2.202: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data) Please fix forwarder configuration to enable DNSSEC support. WARNING: DNSSEC validation will be disabled will use DNS forwarders: [CheckedIPAddressLoopback('10.0.2.200'), CheckedIPAddressLoopback('10.0.2.201'), CheckedIPAddressLoopback('10.0.2.202')] ... ```
-- Markus