Bug 872372 - IPA server DNS forwarding broken with bind-dyndb-ldap-2.2-1.el6.x86_64
IPA server DNS forwarding broken with bind-dyndb-ldap-2.2-1.el6.x86_64
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Adam Tkac
Namita Soman
: Regression, TestBlocker
Depends On:
  Show dependency treegraph
Reported: 2012-11-01 19:39 EDT by Scott Poore
Modified: 2013-02-21 03:58 EST (History)
6 users (show)

See Also:
Fixed In Version: bind-dyndb-ldap-2.3-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 03:58:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 2 Petr Spacek 2012-11-02 04:46:31 EDT
As a result changes in version 2.1 global forwarders specified in configuration file /etc/named.conf are ignored. I will fix that.

In meanwhile please use global forwarders in LDAP - it works.
Comment 4 Namita Soman 2012-11-02 05:23:29 EDT
workaround by mkosek in IRC:
 "ipa dnsconfig-mod --forwarder=, " should do the trick
Comment 8 Scott Poore 2012-11-09 12:03:39 EST

Version ::


Manual Test Results ::

[root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW -U

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host rhel6-1.testrelm2.com
Using reverse zone 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      rhel6-1.testrelm2.com
IP address:
Domain name:   testrelm2.com
Realm name:    TESTRELM2.COM

BIND DNS server will be configured to serve IPA domain with:
Reverse zone:  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/37]: creating directory server user
  [2/37]: creating directory server instance
  [3/37]: adding default schema
  [4/37]: enabling memberof plugin
  [5/37]: enabling winsync plugin
  [6/37]: configuring replication version plugin
  [7/37]: enabling IPA enrollment plugin
  [8/37]: enabling ldapi
  [9/37]: disabling betxn plugins
  [10/37]: configuring uniqueness plugin
  [11/37]: configuring uuid plugin
  [12/37]: configuring modrdn plugin
  [13/37]: enabling entryUSN plugin
  [14/37]: configuring lockout plugin
  [15/37]: creating indices
  [16/37]: enabling referential integrity plugin
  [17/37]: configuring ssl for ds instance
  [18/37]: configuring certmap.conf
  [19/37]: configure autobind for root
  [20/37]: configure new location for managed entries
  [21/37]: restarting directory server
  [22/37]: adding default layout
  [23/37]: adding delegation layout
  [24/37]: adding replication acis
  [25/37]: creating container for managed entries
  [26/37]: configuring user private groups
  [27/37]: configuring netgroups from hostgroups
  [28/37]: creating default Sudo bind user
  [29/37]: creating default Auto Member layout
  [30/37]: adding range check plugin
  [31/37]: creating default HBAC rule allow_all
  [32/37]: initializing group membership
  [33/37]: adding master entry
  [34/37]: configuring Posix uid/gid generation
  [35/37]: enabling compatibility plugin
  [36/37]: tuning directory server
  [37/37]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: disabling mod_ssl in httpd
  [2/14]: setting mod_nss port to 443
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

[root@rhel6-1 ~]# less /etc/named.conf
        forward first;
        forwarders {

[root@rhel6-1 ~]# ipa dnsconfig-mod --forwarder=$DNSFORWARDER
ipa: ERROR: no modifications to be performed

[root@rhel6-1 ~]# dig +short download.devel.redhat.com | grep $DOWNLOAD_DEVEL_IP | wc -l

So, without using a workaround, I can resolve outside of my own IPA domain now.  Looks good.
Comment 9 Scott Poore 2012-11-09 13:10:30 EST
FYI, had to mark comment 0 private.  This is FYI only, not an issue since the 2.3-1 release.  

Here's an edited version of comment 0:

Description of problem:

IPA servers with DNS enabled and a forwarder specified are seeing forwarding not work with bind-dyndb-ldap-2.2-1.el6.x86_64.  Before this (version 2.0) it seemed to work fine.

[root@rhel6-1 ~]# dig download.devel.redhat.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> download.devel.redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11008
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;download.devel.redhat.com.	IN	A

redhat.com.		600	IN	SOA	ns1.redhat.com. noc.redhat.com. 2012102900 300 180 604800 14400

;; Query time: 1641 msec
;; WHEN: Thu Nov  1 18:07:24 2012
;; MSG SIZE  rcvd: 87

Is there something new that needs to be done to enable this properly now?

Version-Release number of selected component (if applicable):

How reproducible:
Very...we're seeing problems with fresh installs and upgrades

Steps to Reproduce:
1.  Install IPA Master server specifying a forwarder
2.  Lookup a hostname outside of the IPA DNS domain.
Actual results:


Expected results:
Comment 11 errata-xmlrpc 2013-02-21 03:58:43 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.