Sorry no errors in the logs even with the debug setting.
I think we are not really looking for the right thing. Let me try to describe the problem again.
When I configure my ipa server to use a global forwarder (8.8.8.8 or 8.8.4.4) I can do a dig and I get a list of the root dns servers.
When I remove the global forwarder. I can still do the dig but I get no root server list.
dig
; <<>> DiG 9.11.36-RedHat-9.11.36-5.el8_7.2 <<>> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49739 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e5e719fe62224931a23c9f9c63812c875a0a53b97e2e11de (good) ;; QUESTION SECTION: ;. IN NS
;; Query time: 111 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Nov 25 21:58:47 CET 2022 ;; MSG SIZE rcvd: 56 < nothing after the previous line except a bash prompt >
There should be a list of root dns servers. Local dns domain resolving works fine. There is no firewall blocking this. (global forwarder 8.8.8.8 works fine)
Really weird. Rob
Op vr 25 nov. 2022 om 16:30 schreef Florence Blanc-Renaud flo@redhat.com:
Hi,
you can log the debug messages from bind and check if they provide any additional hint.
sed -i "s/severity info;/severity debug;/" /etc/named/ipa-logging-ext.conf systemctl restart named
Then perform a dig query outside the ipa domain and check the logs in /var/named/data/*log.
HTH, flo
On Thu, Nov 24, 2022 at 11:12 AM Rob Verduijn rob.verduijn@gmail.com wrote:
Hello, dnssec validation was already off. And it still fails.
Rob
Op do 24 nov. 2022 08:49 schreef Florence Blanc-Renaud flo@redhat.com:
Hi, I wonder if you're hitting *Bug 1999321* https://bugzilla.redhat.com/show_bug.cgi?id=1999321 - DNS often stops resolving properly after FreeIPA server upgrade to Fedora 35 or 36
The workaround would be to disable dnssec validation. Edit /etc/named/ipa-options-ext.conf or /etc/named.conf (depending on your version) and replace dnssec-validation yes with dnssec-validation no
Then restart named.
HTH, flo
On Tue, Nov 22, 2022 at 3:59 PM Rob Verduijn via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello,
I've found an issue with my ipa dns setup.
all local dns queries work fine. However queries outside my ipa domain fail most of the time.
I found this error in the logs: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
I think that this causes my problems with external dns.
Anybody who knows how to deal with this ? Rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue