TL;Dr:  Freeipa's DNS (especially with dnssec enabled) can appear to be 

working well and pass accuracy tests, yet generate failures depending on 

the client's dns provider's response timeout settings.  You can tell 

whether you're as 'online as you think you are' using this tool:  

https://dnschecker.org/

Freeipa's dns response latency times are near the timeout/give-up bubble 

of some of the world largest public / semi-public DNS resolvers.  When 

'over time', these large companies report the freeipa web sites & 

related services do not exist.  DNS resolvers in use by those 'near to' 

the host generally have better timing generally and so give the 

appearance of working.

Without DNSSEC enabled, the packet sizes and processing requirements are 

less, so most services on the same continent as the host operate as 

expected.  Enabling DNSSec adds enough so that even the 'more local' dns 

resolvers time out/report error -- and without notice to the freeipa 

hosting organization.   Cloudflare and Google in North America 'worked' 

without dnssec in my case, but failed more often than it worked with 

DNSSEC enabled.

I think the problem is the latency involved in the orchestration between 

bind9 and dirsrv/ldap.  Work arounds include "throwing faster computers 

at it" and/or pointing internet NS records at slave resolvers that don't 

depend on interprocess communications.

Hope this helps other folks.

Harry Coin

_______________________________________________

FreeIPA-users mailing list -- 

freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to 

freeipa-users-leave@lists.fedorahosted.org

Fedora Code of Conduct: 

https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: 

https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: 

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Do not reply to spam on the list, report it: 

https://pagure.io/fedora-infrastructure