I'm having an issue delegating a subdomain. My domain is cloud.chx and I ran the following.
ipa dnsrecord-add cloud.chx dc1.ad --a-rec=192.168.1.253 ipa dnsrecord-add 1.168.192.in-addr.arpa. 253 --ptr-rec=dc1.ad.cloud.chx. ipa dnsrecord-add cloud.chx ad --ns-rec=dc1.ad.cloud.chx.
I checked and it's in the config
[root@ipa1 ~]# dig axfr cloud.chx | grep ad ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
But when I query, it doesn't return what I expected.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15346 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN NS
;; Query time: 27 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:48:03 PDT 2020 ;; MSG SIZE rcvd: 45
The other DNS server is up and running.
[root@ipa1 ~]# dig @192.168.1.253 dc1.ad.cloud.chx
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @192.168.1.253 dc1.ad.cloud.chx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64777 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN A
;; ANSWER SECTION: dc1.ad.cloud.chx. 3600 IN A 192.168.1.253
;; Query time: 1 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Thu Jul 30 15:59:21 PDT 2020 ;; MSG SIZE rcvd: 61
This is worth noting that adding +norec works.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS +norec
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36273 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN NS
;; AUTHORITY SECTION: ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx.
;; ADDITIONAL SECTION: dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:59:39 PDT 2020 ;; MSG SIZE rcvd: 75
Is there anything I'm missing?
---
Christian Hernandez, RHCE
Principal Technical Marketing Manager - Cloud Platforms
Red Hat, Inc https://www.redhat.com/
christian@redhat.com
Mobile: 626.502.8310
Slack: chernand https://www.redhat.com/
On 7/31/20 1:03 AM, Christian Hernandez via FreeIPA-users wrote:
I'm having an issue delegating a subdomain. My domain is cloud.chx and I ran the following.
ipa dnsrecord-add cloud.chx dc1.ad http://dc1.ad --a-rec=192.168.1.253 ipa dnsrecord-add 1.168.192.in-addr.arpa. 253 --ptr-rec=dc1.ad.cloud.chx. ipa dnsrecord-add cloud.chx ad --ns-rec=dc1.ad.cloud.chx.
I checked and it's in the config
[root@ipa1 ~]# dig axfr cloud.chx | grep ad ad.cloud.chx.86400INNSdc1.ad.cloud.chx. dc1.ad.cloud.chx.86400INA192.168.1.253
But when I query, it doesn't return what I expected.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15346 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx.INNS
;; Query time: 27 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:48:03 PDT 2020 ;; MSG SIZE rcvd: 45
The other DNS server is up and running.
[root@ipa1 ~]# dig @192.168.1.253 http://192.168.1.253 dc1.ad.cloud.chx
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @192.168.1.253 http://192.168.1.253 dc1.ad.cloud.chx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64777 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;dc1.ad.cloud.chx.INA
;; ANSWER SECTION: dc1.ad.cloud.chx.3600INA192.168.1.253
;; Query time: 1 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Thu Jul 30 15:59:21 PDT 2020 ;; MSG SIZE rcvd: 61
This is worth noting that adding +norec works.
Hi,
my question ma sound stupid but is there an A record for dc1.ad.cloud.chx in the DNS server dc1?
flo
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS +norec
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36273 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx.INNS
;; AUTHORITY SECTION: ad.cloud.chx.86400INNSdc1.ad.cloud.chx.
;; ADDITIONAL SECTION: dc1.ad.cloud.chx.86400INA192.168.1.253
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:59:39 PDT 2020 ;; MSG SIZE rcvd: 75
Is there anything I'm missing?
Christian Hernandez, RHCE
Principal Technical Marketing Manager - Cloud Platforms
Red Hat, Inc https://www.redhat.com/
christian@redhat.com mailto:christian@redhat.com
Mobile: 626.502.8310
Slack: chernand
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Fri, Jul 31, 2020 at 1:52 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 7/31/20 1:03 AM, Christian Hernandez via FreeIPA-users wrote:
I'm having an issue delegating a subdomain. My domain is cloud.chx and I ran the following.
ipa dnsrecord-add cloud.chx dc1.ad http://dc1.ad --a-rec=192.168.1.253 ipa dnsrecord-add 1.168.192.in-addr.arpa. 253 --ptr-rec=dc1.ad.cloud.chx. ipa dnsrecord-add cloud.chx ad --ns-rec=dc1.ad.cloud.chx.
I checked and it's in the config
[root@ipa1 ~]# dig axfr cloud.chx | grep ad ad.cloud.chx.86400INNSdc1.ad.cloud.chx. dc1.ad.cloud.chx.86400INA192.168.1.253
But when I query, it doesn't return what I expected.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15346 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx.INNS
;; Query time: 27 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:48:03 PDT 2020 ;; MSG SIZE rcvd: 45
The other DNS server is up and running.
[root@ipa1 ~]# dig @192.168.1.253 http://192.168.1.253
dc1.ad.cloud.chx
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @192.168.1.253 http://192.168.1.253 dc1.ad.cloud.chx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64777 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;dc1.ad.cloud.chx.INA
;; ANSWER SECTION: dc1.ad.cloud.chx.3600INA192.168.1.253
;; Query time: 1 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Thu Jul 30 15:59:21 PDT 2020 ;; MSG SIZE rcvd: 61
This is worth noting that adding +norec works.
Hi,
my question ma sound stupid but is there an A record for dc1.ad.cloud.chx in the DNS server dc1?
Yes there is (the IP is the IP of dc1.ad.cloud.chx)
[root@ipa1 ~]# dig @192.168.1.253 dc1.ad.cloud.chx +short 192.168.1.253
flo
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS +norec
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36273 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx.INNS
;; AUTHORITY SECTION: ad.cloud.chx.86400INNSdc1.ad.cloud.chx.
;; ADDITIONAL SECTION: dc1.ad.cloud.chx.86400INA192.168.1.253
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:59:39 PDT 2020 ;; MSG SIZE rcvd: 75
Is there anything I'm missing?
Christian Hernandez, RHCE
Principal Technical Marketing Manager - Cloud Platforms
Red Hat, Inc https://www.redhat.com/
christian@redhat.com mailto:christian@redhat.com
Mobile: 626.502.8310
Slack: chernand
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
31.07.2020 2:03, Christian Hernandez via FreeIPA-users пишет:
I'm having an issue delegating a subdomain. My domain is cloud.chx and I ran the following.
ipa dnsrecord-add cloud.chx dc1.ad --a-rec=192.168.1.253 ipa dnsrecord-add 1.168.192.in-addr.arpa. 253 --ptr-rec=dc1.ad.cloud.chx. ipa dnsrecord-add cloud.chx ad --ns-rec=dc1.ad.cloud.chx.
I checked and it's in the config
[root@ipa1 ~]# dig axfr cloud.chx | grep ad ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
But when I query, it doesn't return what I expected.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15346 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN NS
;; Query time: 27 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:48:03 PDT 2020 ;; MSG SIZE rcvd: 45
The other DNS server is up and running.
[root@ipa1 ~]# dig @192.168.1.253 dc1.ad.cloud.chx
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @192.168.1.253 dc1.ad.cloud.chx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64777 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN A
;; ANSWER SECTION: dc1.ad.cloud.chx. 3600 IN A 192.168.1.253
;; Query time: 1 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Thu Jul 30 15:59:21 PDT 2020 ;; MSG SIZE rcvd: 61
This is worth noting that adding +norec works.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS +norec
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36273 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN NS
;; AUTHORITY SECTION: ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx.
;; ADDITIONAL SECTION: dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:59:39 PDT 2020 ;; MSG SIZE rcvd: 75
Is there anything I'm missing?
Do you have the validating resolver(DNSSEC-aware recursive server) listening on 127.0.0.1#53? And if Yes then do you have DS RRs in the parent zone for the delegated one?
https://www.isc.org/dnssec/ https://downloads.isc.org/isc/dnssec-guide/dnssec-guide.pdf
On Fri, Jul 31, 2020 at 5:49 AM Stanislav Levin via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
31.07.2020 2:03, Christian Hernandez via FreeIPA-users пишет:
I'm having an issue delegating a subdomain. My domain is cloud.chx and I ran the following.
ipa dnsrecord-add cloud.chx dc1.ad --a-rec=192.168.1.253 ipa dnsrecord-add 1.168.192.in-addr.arpa. 253 --ptr-rec=dc1.ad.cloud.chx. ipa dnsrecord-add cloud.chx ad --ns-rec=dc1.ad.cloud.chx.
I checked and it's in the config
[root@ipa1 ~]# dig axfr cloud.chx | grep ad ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
But when I query, it doesn't return what I expected.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15346 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN NS
;; Query time: 27 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:48:03 PDT 2020 ;; MSG SIZE rcvd: 45
The other DNS server is up and running.
[root@ipa1 ~]# dig @192.168.1.253 dc1.ad.cloud.chx
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @192.168.1.253 dc1.ad.cloud.chx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64777 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN A
;; ANSWER SECTION: dc1.ad.cloud.chx. 3600 IN A 192.168.1.253
;; Query time: 1 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Thu Jul 30 15:59:21 PDT 2020 ;; MSG SIZE rcvd: 61
This is worth noting that adding +norec works.
[root@ipa1 ~]# dig dc1.ad.cloud.chx NS +norec
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx NS +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36273 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN NS
;; AUTHORITY SECTION: ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx.
;; ADDITIONAL SECTION: dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 30 15:59:39 PDT 2020 ;; MSG SIZE rcvd: 75
Is there anything I'm missing?
Do you have the validating resolver(DNSSEC-aware recursive server) listening on 127.0.0.1#53? And if Yes then do you have DS RRs in the parent zone for the delegated one?
I see no DNSSEC error in my logs. Just some errors when I ran ipactl restart a few times...
[root@ipa1 ~]# egrep -i 'error|dc1' /var/named/data/named.run 29-Jul-2020 12:45:24.569 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 14:04:22.667 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 15:12:33.778 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 15:15:35.740 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 15:17:22.125 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 17:54:19.335 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 17:55:00.649 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed 30-Jul-2020 18:37:27.418 LDAP error: Can't contact LDAP server: ldap_sync_poll() failed
I do see these, but I don't think they're related.
[root@ipa1 ~]# grep 192.168.1.253 /var/named/data/named.run 30-Jul-2020 14:34:00.480 client @0x7f2cd81cada0 192.168.1.253#59899: update 'cloud.chx/IN' denied 30-Jul-2020 14:34:00.702 client @0x7f2cb030acc0 192.168.1.253#50606: update 'cloud.chx/IN' denied 30-Jul-2020 14:37:18.666 client @0x7f2cd80559a0 192.168.1.253#62071: update 'cloud.chx/IN' denied 30-Jul-2020 14:37:41.334 client @0x7f2cb030acc0 192.168.1.253#58363: update 'cloud.chx/IN' denied 30-Jul-2020 15:38:49.112 client @0x7ff2741cada0 192.168.1.253#49900: update '1.168.192.in-addr.arpa/IN' denied 30-Jul-2020 20:13:16.706 client @0x7f64f044a9a0 192.168.1.253#51960: update '1.168.192.in-addr.arpa/IN' den
The error I'm getting is NXDOMAIN
[root@ipa1 ~]# dig @localhost dc1.ad.cloud.chx
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @localhost dc1.ad.cloud.chx ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63161 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN A
;; Query time: 17 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri Jul 31 07:05:40 PDT 2020 ;; MSG SIZE rcvd: 45
The glue records are in
[root@ipa1 ~]# dig @localhost AXFR cloud.chx | grep dc1 ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
https://www.isc.org/dnssec/ https://downloads.isc.org/isc/dnssec-guide/dnssec-guide.pdf
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I believe what you're seeing is normal behavior. If you ran that query against a TLD you'd get the NS servers of the TLD in the answer section but I don't believe it works that way when delegating subdomains.
I just tested in my environment and when I query an a-record in the delegated subdomain the proper NS records appear in the authority section but I do not get a response querying for NS records directly against a delegated subdomain.
On Sun, Aug 2, 2020 at 6:43 PM John Petrini jpetrini@coredial.com wrote:
I believe what you're seeing is normal behavior. If you ran that query against a TLD you'd get the NS servers of the TLD in the answer section but I don't believe it works that way when delegating subdomains.
I just tested in my environment and when I query an a-record in the delegated subdomain the proper NS records appear in the authority section but I do not get a response querying for NS records directly against a delegated subdomain.
Shouldn't my TLD tell the client where to get that record though?
In my case I have cloud.chx and I delegated ad.cloud.chx to my Windows DNS server.
When a query comes to the NS of cloud.chx it should get that answer from the NS of ad.cloud.chx right? There's something I must be missing on the IPA side because when I try this setting from a BIND to BIND set up...it works as expected.
[root@ns1 ~]# dig test.ad.example.com
; <<>> DiG 9.11.21-RedHat-9.11.21-1.fc32 <<>> test.ad.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56885 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: bcf0f0a951a4c7fc9bac74fd5f29c35a5305f69d279f3827 (good) ;; QUESTION SECTION: ;test.ad.example.com. IN A
;; ANSWER SECTION: test.ad.example.com. 604628 IN A 172.16.1.101
;; AUTHORITY SECTION: ad.example.com. 604800 IN NS dc1.ad.example.com.
;; ADDITIONAL SECTION: dc1.ad.example.com. 604358 IN A 172.16.1.206
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 04 13:21:46 PDT 2020 ;; MSG SIZE rcvd: 126
On my IPA server, this setup (this is the live setup) isn't working...
[root@ipa1 ~]# dig dc1.ad.cloud.chx
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64904 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN A
;; Query time: 13 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 04 13:24:16 PDT 2020 ;; MSG SIZE rcvd: 45
[root@ipa1 ~]# dig cloud.chx AXFR | grep dc1 ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
I think I see it now. The A record that your NS record points to should be a record within the cloud.chx domain, not the ad.cloud.chx subdomain.
So you could do something like this:
ad-ns1.cloud.chx 86400 IN A 192.168.1.253 ad.cloud.chx. 86400 IN NS ad-ns1.cloud.chx.
Then if you query an a record in the subdomain (e.g. test.ad.cloud.chx) you should see the NS record in the authority section.
On Tue, Aug 4, 2020 at 4:25 PM Christian Hernandez chernand@redhat.com wrote:
On Sun, Aug 2, 2020 at 6:43 PM John Petrini jpetrini@coredial.com wrote:
I believe what you're seeing is normal behavior. If you ran that query against a TLD you'd get the NS servers of the TLD in the answer section but I don't believe it works that way when delegating subdomains.
I just tested in my environment and when I query an a-record in the delegated subdomain the proper NS records appear in the authority section but I do not get a response querying for NS records directly against a delegated subdomain.
Shouldn't my TLD tell the client where to get that record though?
In my case I have cloud.chx and I delegated ad.cloud.chx to my Windows DNS server.
When a query comes to the NS of cloud.chx it should get that answer from the NS of ad.cloud.chx right? There's something I must be missing on the IPA side because when I try this setting from a BIND to BIND set up...it works as expected.
[root@ns1 ~]# dig test.ad.example.com
; <<>> DiG 9.11.21-RedHat-9.11.21-1.fc32 <<>> test.ad.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56885 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: bcf0f0a951a4c7fc9bac74fd5f29c35a5305f69d279f3827 (good) ;; QUESTION SECTION: ;test.ad.example.com. IN A
;; ANSWER SECTION: test.ad.example.com. 604628 IN A 172.16.1.101
;; AUTHORITY SECTION: ad.example.com. 604800 IN NS dc1.ad.example.com.
;; ADDITIONAL SECTION: dc1.ad.example.com. 604358 IN A 172.16.1.206
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 04 13:21:46 PDT 2020 ;; MSG SIZE rcvd: 126
On my IPA server, this setup (this is the live setup) isn't working...
[root@ipa1 ~]# dig dc1.ad.cloud.chx
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> dc1.ad.cloud.chx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64904 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc1.ad.cloud.chx. IN A
;; Query time: 13 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 04 13:24:16 PDT 2020 ;; MSG SIZE rcvd: 45
[root@ipa1 ~]# dig cloud.chx AXFR | grep dc1 ad.cloud.chx. 86400 IN NS dc1.ad.cloud.chx. dc1.ad.cloud.chx. 86400 IN A 192.168.1.253
freeipa-users@lists.fedorahosted.org