On ma, 18 touko 2020, Vinícius Ferrão via FreeIPA-users wrote:
On 18 May 2020, at 01:57, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:
On ma, 18 touko 2020, Vinícius Ferrão via FreeIPA-users wrote:
Hello,
This may sound like a noobish question, but how can I make DNSSEC play nicely when the
external domain have DNSSEC enabled and this makes internal zones failing when creating an
AD trust, since we are using subdomains for our LAN?
Our case:
example.com<http://example.com> (External DNS name with DNSSEC enabled)
win.example.com<http://win.example.com> (Active Directory Zone)
nix.example.com<http://nix.example.com> (FreeIPA Zone)
Even with the correct conditional forwarders set up in Windows DNS and FreeIPA DNS, DNSSEC
kicks in and fail resolutions.
I _MUST_ disable DNSSEC? There’s another way?
There are 'dnssec-validation' and 'dnssec-enable' options in
/etc/named.conf. If you don't have DNSSEC configured and don't want to
validate DNSSEC, turn them to 'no'.
Thanks Alexander, but that’s the question haha.
I don’t want to disable DNSSEC, but I can’t find a way to make it work. The problem in my
domain is that the external DNS name is on CloudFlare Free Tier, so I don’t have the
private keys.
Is it okay to just sign the internal zones with a new key? This makes no sense for me, and
should not work if I do get DNSSEC correctly.
The only way to keep the external DNSSEC working, in my case, is disabling DNSSEC on IPA
and AD, am I correct?
How does it work for
win.example.com already?
In CloudFlare you can add DS keys for child zones, so delegation is
possible.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland