I tried running "ipa-dns-install" again, and it failed with this:
# ipa-dns-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the IPA Server.
This includes:
* Configure DNS (bind)
* Configure SoftHSM (required by DNSSEC)
* Configure ipa-dnskeysyncd (required by DNSSEC)
NOTE: DNSSEC zone signing is not enabled by default
To accept the default shown in brackets, press the Enter key.
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 192.168.254.2
Do you want to configure these servers as DNS forwarders? [yes]: no
Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.254.2
DNS forwarder 192.168.254.2 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip: 192.168.254.10
DNS forwarder 192.168.254.10 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring DNS (named)
[1/8]: generating rndc key file
[2/8]: setting up our own record
[3/8]: adding NS record to the zones
[4/8]: setting up kerberos principal
[5/8]: setting up named.conf
[6/8]: setting up server configuration
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa1.sj.bps. 1 failed: All nameservers failed to
answer the query ipa1.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipaserver.dns_data_management: ERROR unable to resolve host name ipa1.sj.bps. to IP
address, ipa-ca DNS record will be incomplete
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR DNS query for ipa2.sj.bps. 1 failed: All nameservers failed to
answer the query ipa2.sj.bps. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipaserver.dns_data_management: ERROR unable to resolve host name ipa2.sj.bps. to IP
address, ipa-ca DNS record will be incomplete
==============================================================================
Setup complete
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
You must make sure these network ports are open:
TCP Ports:
* 53: bind
UDP Ports:
* 53: bind
I checked to see if it could be a firewall issue:
[root@ipa2 ~]# iptables --list -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The DNS server resolves external names:
[root@ipa2 ~]# dig @localhost
google.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34000
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 142.250.188.238
;; Query time: 52 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Aug 30 18:31:15 EDT 2022
;; MSG SIZE rcvd: 55
But not the sj.bps domain:
[root@ipa2 ~]# dig @localhost ipa1.sj.bps
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @localhost
ipa1.sj.bps
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7731
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa1.sj.bps. IN A
;; Query time: 6 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Aug 30 18:31:58 EDT 2022
;; MSG SIZE rcvd: 40