DNS#
This page contains DNS and DNSSEC troubleshooting advice. For other issues, refer to the index at Troubleshooting.
Getting logs#
FreeIPA is using BIND as integrated DNS server. If you suspect that something is wrong with your DNS, inspect logs generated by BIND.
Depending on your distribution and FreeIPA version, the logs can be on accessed using three different techniques:
$ journalctl -u named-pkcs11
$ journalctl -u named
file /var/named/data/named.run
Reporting bugs#
Please follow instructions published by bind-dyndb-ldap project.
Kerberos does not work#
From common experience, a great portion of issues with FreeIPA or the Kerberos authentication is caused by DNS misconfiguration. When investigating such issue make sure that:
Client forward record is OK both on FreeIPA server and the affected FreeIPA client:
host $IPA_CLIENT_FQDN
Server forward and reverse record is OK both on FreeIPA server and the affected FreeIPA client:
host $IPA_SERVER_FQDN
host $IPA_SERVER_IP_ADDRESS
Returned hostname must be a fully qualified hostname with a trailing dot, e.g.
server.example.com.
Check
/etc/hostson the client make sure there is not a wrong server entry or a server entry where the first name is not fully qualified.
named on server does not start#
See article What to do when named with bind-dyndb-ldap cannot start
PTR synchronization does not work#
Most common problems are caused by misconfiguration. Please see article How PTR record synchronization works.
Forward zone does not work#
At first please try following command:
dig @forwarder forwarding.zone.name. SOA
If command above returns NXDOMAIN or SERVFAIL, please check your forwarder.
DNSSEC validation#
Do you use TLD domains you don’t own (like .local or .corp)?
Do you have
dnssec-validation yes;in /etc/named.conf?Does
journalctl -u named-pkcs11show errors about record signatures?
Then DNSSEC validation prevents you from resolving records from the forward zone.
How to fix it:
at first please don’t use domains you don’t own (FreeIPA Deployment Recommendations)
if you really need those domains, you have to set
dnssec-validation no;in /etc/named.conf on all FreeIPA DNS servers (and proceed restart)
missing zone delegation#
Do you have a master zone that is the parent of your forward zone (both on FreeIPA server)? Example:
master zone: ipa.freeipa.org.
forward zone: others.ipa.freeipa.org.
Please check if master zone contains an NS delegation record and A glue records (HOWTO - Delegate a Sub-domain (a.k.a. subzone)).
Example:
$ORIGIN ipa.freeipa.org.
others NS ns.others.ipa.freeipa.org.
ns.others A 192.0.2.1
ns.others AAAA 2001:db8::1
Without zone delegation all queries are processed by master zone and NXDOMAIN is returned (Forward zones design page).
Forward policy set to none#
Please check your forward policy:
ipa dnsforwardzone-show ipa.freeipa.org.
If forward policy is set to none, forwarding is disabled. Please set first or only as forward-policy to allow forwarding.
DNSSEC signing does not work#
Related information how to use DNSSEC with FreeIPA can be found in DNSSEC howto.
DNSSEC signing is not enabled for the particular zone#
ipa dnszone-show ipa.example
Allow in-line DNSSEC signing: TRUE
Use command ipa dnszone-mod ipa.example --dnssec=1 to enable DNSSEC
signing for given zone.
DNSSEC master is not configured#
Verify that one server is configured to be DNSSEC key master. Run following commands on one FreeIPA replica and check that exactly one LDAP entry is printed out:
kinit adminldapsearch -Y GSSAPI '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
dn: cn=DNSSEC,cn=vm-236.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
objectClass: ipaConfigObject
objectClass: nsContainer
objectClass: top
ipaConfigString: dnssecKeyMaster
ipaConfigString: startOrder 100
ipaConfigString: enabledService
cn: DNSSEC
# numEntries: 1
If no entry was found, promote one FreeIPA replica to be the DNSSEC key master:
ipa-dns-install --dnssec-master
DNSSEC key master services are not running#
Run ipactl status on the DNSSEC key master and check that all
services are running: All services should be in state RUNNING except
ipa-ods-exporter service which is run only on-demand.
DNS keys are not generated by OpenDNSSEC#
Here we begin with root account on the replica in DNSSEC key master
role. First of all switch to user ods so you do not mangle
filesystem permissions:
sudo -u ods -s /bin/bashsource /etc/sysconfig/odsexport SOFTHSM2_CONF
Now you can list zones managed by OpenDNSSEC:
ods-enforcer zone list(useods-ksmutilon RHEL 7)
Found Zone: ipa.example; on policy default
If the zone is not in the list, restart ipa-dnskeysyncd service
which is responsible for LDAP->OpenDNSSEC synchronization and check its
logs if the restart did not help.
If the zone is in the list, verify that DNSSEC keys were generated for the zone. You should see:
At least one key with type
KSKin statepublishoractive.At least one key with type
ZSKin stateactive.ods-enforcer key list --verbose(useods-ksmutilon RHEL 7)
Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:
ipa.example ZSK active 2015-06-03 12:52:07 (retire) 2048 8 623d723... SoftHSM 60195
ipa.example KSK publish 2015-03-06 02:52:07 (ready) 2048 8 60b5ce3... SoftHSM 6046
Missing keys indicate a problem with OpenDNSSEC or possibly lack of
entropy. Check logs for ods-enforcerd service.
DNS keys are stored in local HSM on key master replica#
Verify that keys shown by OpenDNSSEC key list command actually exist
in local HSM on the DNSSEC key master replica:
sudo -u ods python3 -m ipaserver.dnssec.localhsm(replacepython3withpython2on RHEL 7)
Every CKA_ID has to be listed in twice with boolean parameters shown
below. Please ignore other values printed by localhsm command.
zone public keys
================
623d723...
{'ipk11label': u'623d723...', 'ipk11verify': True, ...}
...
zone private keys
=================
623d723...
{'ipk11label': u'623d723...', 'ipk11sign': True, 'ipk11extractable': True, ...}