Sorry no errors in the logs even with the debug setting.

I think we are not really looking for the right thing.
Let me try to describe the problem again.

When I configure my ipa server to use a global forwarder (8.8.8.8 or 8.8.4.4)
I can do a dig and I get a list of the root dns servers.

When I remove the global forwarder.
I can still do the dig but I get no root server list.

dig

; <<>> DiG 9.11.36-RedHat-9.11.36-5.el8_7.2 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49739
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e5e719fe62224931a23c9f9c63812c875a0a53b97e2e11de (good)
;; QUESTION SECTION:
;.                              IN      NS

;; Query time: 111 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 25 21:58:47 CET 2022
;; MSG SIZE  rcvd: 56
< nothing after the previous line except a bash prompt >

There should be a list of root dns servers.
Local dns domain resolving works fine.
There is no firewall blocking this. (global forwarder 8.8.8.8 works fine)

Really weird.
Rob

Op vr 25 nov. 2022 om 16:30 schreef Florence Blanc-Renaud <flo@redhat.com>:
Hi,

you can log the debug messages from bind and check if they provide any additional hint.

sed -i "s/severity info;/severity debug;/" /etc/named/ipa-logging-ext.conf
systemctl restart named

Then perform a dig query outside the ipa domain and check the logs in /var/named/data/*log.

HTH,
flo

On Thu, Nov 24, 2022 at 11:12 AM Rob Verduijn <rob.verduijn@gmail.com> wrote:
Hello, dnssec validation was already off.
And it still fails.

Rob

Op do 24 nov. 2022 08:49 schreef Florence Blanc-Renaud <flo@redhat.com>:
Hi,
I wonder if you're hitting Bug 1999321 - DNS often stops resolving properly after FreeIPA server upgrade to Fedora 35 or 36

The workaround would be to disable dnssec validation. Edit /etc/named/ipa-options-ext.conf or /etc/named.conf (depending on your version) and replace
dnssec-validation yes
with
dnssec-validation no

Then restart named.

HTH,
flo

On Tue, Nov 22, 2022 at 3:59 PM Rob Verduijn via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hello,

I've found an issue with my ipa dns setup.

all local dns queries work fine.
However queries outside my ipa domain fail most of the time.

I found this error in the logs:
managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

I think that this causes my problems with external dns.

Anybody who knows how to deal with this ?
Rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue