#5179 IPA dnssec-validation not working for AD dnsforwardzone
Closed: Fixed None Opened 8 years ago by jcholast.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1249226

Description of problem:

We have tests setting up AD Trust that are failing on some normal DNS Forwarder
setups.  It should be noted that these are pre-existing AD servers used in
multiple tests for different versions of IPA.  We try to create a
dnsforwardzone for the AD Domain on the IPA server like this and see the error:

[root@vm-idm-014 system]# ipa dnsforwardzone-add adtest.qe --forwarder=$AD_IP
--forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNS server $IPA_IP: query 'adtest.qe. SOA': All nameservers
failed to answer the query adtest.qe. IN SOA: Server $IPA_IP UDP port 53
anwered SERVFAIL.
  Zone name: adtest.qe.
  Active zone: TRUE
  Zone forwarders: $AD_IP
  Forward policy: only

Then in messages I see:
Aug  1 02:53:00 vm-idm-014 named-pkcs11[16963]: forward zone 'adtest.qe':
loaded
Aug  1 02:53:05 vm-idm-014 named-pkcs11[16963]: error (insecurity proof failed)
resolving 'adtest.qe/SOA/IN': $AD_IP#53

If I disable dnssec-validation in /etc/named.conf, this does not occur and I
can add the forwarder as expected.

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-3.el7.x86_64
bind-pkcs11-9.9.4-27.el7.x86_64


How reproducible:
always at least with this AD DNS server


Steps to Reproduce:
1.  Install IPA Master
2.  Install AD server with DNS
3.  ipa dnsforwardzone-add $AD_DOMAIN --forwarder=$AD_IP --forward-policy=only

Actual results:
Error like above and cannot resolve that domain from IPA server:

[root@vm-idm-014 system]# dig +short @$AD_IP $AD_DOMAIN
$AD_IP

[root@vm-idm-014 system]# dig +short @$IPA_IP $AD_DOMAIN
[root@vm-idm-014 system]#


Expected results:

I originally thought this should work with zones not supporting DNSSEC but,
need clarification.  If not, we may need a better way to disable DNSSEC
Validation.

Additional info:

[root@vm-idm-014 system]# dig @$AD_IP $AD_DOMAIN SOA|grep flags
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
; EDNS: version: 0, flags:; udp: 4000

[root@vm-idm-014 system]# dig +short @$AD_IP $AD_DOMAIN SOA +edns=0
ad12srv1.adtest.qe. hostmaster.adtest.qe. 2731 900 600 86400 3600

[root@vm-idm-014 system]# dig  @$AD_IP $AD_DOMAIN SOA +edns=0|grep flags
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
; EDNS: version: 0, flags:; udp: 4000

From the design page:

http://www.freeipa.org/page/V4/DNSSEC_Support#Detection_if_forwarders_are_DNSSE
C_capable

I guess it looks like the AD server does not support DNSSEC because it fails
check 3 for forward zones (at least using dig):

check if the record "fwzone IN SOA" @forwarder with EDNS0 has DNSSEC signatures
(flags: RD, DO)

    failed: forwarder does not support DNSSEC

Dig results:

[root@vm-idm-014 system]# dig  @$AD_IP $AD_DOMAIN SOA +edns=0|grep flags
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
; EDNS: version: 0, flags:; udp: 4000

I don't see the expected DO flag on the AD server.

master:

  • b4daa45 DNSSEC: fix forward zone forwarders checks

ipa-4-2:

  • 32fedf0 DNSSEC: fix forward zone forwarders checks

Metadata Update from @jcholast:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Login to comment on this ticket.

Metadata