[Freeipa-users] Re: Question regarding DNSSEC + AD Trust

On 18 May 2020, at 01:57, Alexander Bokovoy <abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote: On ma, 18 touko 2020, Vinícius Ferrão via FreeIPA-users wrote: Hello, This may sound like a noobish question, but how can I make DNSSEC play nicely when the external domain have DNSSEC enabled and this makes internal zones failing when creating an AD trust, since we are using subdomains for our LAN? Our case: example.com<http://example.com> (External DNS name with DNSSEC enabled) win.example.com<http://win.example.com> (Active Directory Zone) nix.example.com<http://nix.example.com> (FreeIPA Zone) Even with the correct conditional forwarders set up in Windows DNS and FreeIPA DNS, DNSSEC kicks in and fail resolutions. I _MUST_ disable DNSSEC? There’s another way? There are 'dnssec-validation' and 'dnssec-enable' options in /etc/named.conf. If you don't have DNSSEC configured and don't want to validate DNSSEC, turn them to 'no'. Thanks Alexander, but that’s the question haha. I don’t want to disable DNSSEC, but I can’t find a way to make it work. The problem in my domain is that the external DNS name is on CloudFlare Free Tier, so I don’t have the private keys. Is it okay to just sign the internal zones with a new key? This makes no sense for me, and should not work if I do get DNSSEC correctly. The only way to keep the external DNSSEC working, in my case, is disabling DNSSEC on IPA and AD, am I correct?