Hi,

you can log the debug messages from bind and check if they provide any additional hint.

sed -i "s/severity info;/severity debug;/" /etc/named/ipa-logging-ext.conf
systemctl restart named

Then perform a dig query outside the ipa domain and check the logs in /var/named/data/*log.

HTH,
flo

On Thu, Nov 24, 2022 at 11:12 AM Rob Verduijn <rob.verduijn@gmail.com> wrote:
Hello, dnssec validation was already off.
And it still fails.

Rob

Op do 24 nov. 2022 08:49 schreef Florence Blanc-Renaud <flo@redhat.com>:
Hi,
I wonder if you're hitting BugĀ 1999321 - DNS often stops resolving properly after FreeIPA server upgrade to Fedora 35 or 36

The workaround would be to disable dnssec validation. Edit /etc/named/ipa-options-ext.conf or /etc/named.conf (depending on your version) and replace
dnssec-validation yes
with
dnssec-validation no

Then restart named.

HTH,
flo

On Tue, Nov 22, 2022 at 3:59 PM Rob Verduijn via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hello,

I've found an issue with my ipa dns setup.

all local dns queries work fine.
However queries outside my ipa domain fail most of the time.

I found this error in the logs:
managed-keys-zone: Unable to fetch DNSKEY set '.': timed out

I think that this causes my problems with external dns.

Anybody who knows how to deal with this ?
Rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue