Hi,
you can log the debug messages from bind and check if they provide any
additional hint.
sed -i "s/severity info;/severity debug;/" /etc/named/ipa-logging-ext.conf
systemctl restart named
Then perform a dig query outside the ipa domain and check the logs in
/var/named/data/*log.
HTH,
flo
On Thu, Nov 24, 2022 at 11:12 AM Rob Verduijn <rob.verduijn(a)gmail.com>
wrote:
Hello, dnssec validation was already off.
And it still fails.
Rob
Op do 24 nov. 2022 08:49 schreef Florence Blanc-Renaud <flo(a)redhat.com>:
> Hi,
> I wonder if you're hitting *Bug 1999321*
> <
https://bugzilla.redhat.com/show_bug.cgi?id=1999321> - DNS often stops
> resolving properly after FreeIPA server upgrade to Fedora 35 or 36
>
> The workaround would be to disable dnssec validation. Edit
> /etc/named/ipa-options-ext.conf or /etc/named.conf (depending on your
> version) and replace
> dnssec-validation yes
> with
> dnssec-validation no
>
> Then restart named.
>
> HTH,
> flo
>
> On Tue, Nov 22, 2022 at 3:59 PM Rob Verduijn via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> Hello,
>>
>> I've found an issue with my ipa dns setup.
>>
>> all local dns queries work fine.
>> However queries outside my ipa domain fail most of the time.
>>
>> I found this error in the logs:
>> managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
>>
>> I think that this causes my problems with external dns.
>>
>> Anybody who knows how to deal with this ?
>> Rob
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam, report it:
>>
https://pagure.io/fedora-infrastructure/new_issue
>>
>