I have two FreeIPA servers both are working as DNS servers for the network. Each IPA server is in the DNS server list, so they serve as "backup" for one another. I had one of the server's named-pkcs11 fail last night and somehow the second server failed resolving as it could not reach the first one.
The zone they're hitting has forwarding disabled. I could get internal addresses resolved but when it came to external, the server that was running would not forward out of the network - only to the server that no longer was open.
I'm struggling to see what would cause this dependency. Since the zone definition is the same on both systems, what causes this dependency? Is there a setting I need to look at that's not in the LDAP DB? Each IPA server has a resolve that lists localhost (them-self) and the IP address of the other IPA server. So I understand if there's attempt to reach the other, but if the first IPA server can do a global forward, why can't the other?
I use "forwarding disabled" because it turned out when there was no external access the "forward first" would fail and hence I would have no DNS just because my ISP decided not to reply - even the internal DNS would fail this way. Forwarding disabled seems to work - and it's my expectation that it simply looks up the NS record directly when it doesn't have a zone that matches. So why does one of the IPA servers not seem to be able to do this?
On 9/6/20 5:48 PM, Peter Larsen via FreeIPA-users wrote:
I have two FreeIPA servers both are working as DNS servers for the network. Each IPA server is in the DNS server list, so they serve as "backup" for one another. I had one of the server's named-pkcs11 fail last night and somehow the second server failed resolving as it could not reach the first one.
The zone they're hitting has forwarding disabled. I could get internal addresses resolved but when it came to external, the server that was running would not forward out of the network - only to the server that no longer was open.
I'm struggling to see what would cause this dependency. Since the zone definition is the same on both systems, what causes this dependency? Is there a setting I need to look at that's not in the LDAP DB? Each IPA server has a resolve that lists localhost (them-self) and the IP address of the other IPA server. So I understand if there's attempt to reach the other, but if the first IPA server can do a global forward, why can't the other?
I use "forwarding disabled" because it turned out when there was no external access the "forward first" would fail and hence I would have no DNS just because my ISP decided not to reply - even the internal DNS would fail this way. Forwarding disabled seems to work - and it's my expectation that it simply looks up the NS record directly when it doesn't have a zone that matches. So why does one of the IPA servers not seem to be able to do this?
Hi,
not sure if it addresses your issue, but the forwarders can be defined at various levels:
# ipa dnsconfig-show will display if a global forwarder is set
# ipa dnsserver-show <server_fqdn> will display if a per-server forwarder is set
# ipa dnszone-show <zone> will display if a per-zone forwarder is set
What is your exact configuration and for which zone does the resolution fail?
flo
freeipa-users@lists.fedorahosted.org