When trying configure recursion for trusted networks, named-pkcs11.service fails since the IPA customization config overrides options in the named.conf.
options
named.conf
latest
--setup-dns
-v /etc/named/ipa-ext.conf:/etc/named/ipa-ext.conf:ro
named-pkcs11.service
Named fails to start due to the ipa-ext.conf file redefining options, which seemingly isn't supported.
ipa-ext.conf
Journal log:
May 14 22:12:05 b4e90ca1bf14 systemd[1]: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11... May 14 22:12:05 b4e90ca1bf14 bash[309]: /data/etc/named/ipa-ext.conf:6: 'options' redefined near 'options' May 14 22:12:05 b4e90ca1bf14 systemd[1]: named-pkcs11.service: Control process exited, code=exited, status=1/FA ILURE May 14 22:12:05 b4e90ca1bf14 systemd[1]: named-pkcs11.service: Failed with result 'exit-code'. May 14 22:12:05 b4e90ca1bf14 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#1
I expected the provided example to just work and I would be able to allow specified networks to make recursive queries.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.8.6-1.fc32.x86_64 freeipa-client-4.8.6-1.fc32.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.3.7-1.fc32.x86_64 pki-ca-10.8.3-1.fc32.noarch krb5-server-1.18-1.fc32.x86_64
$ sudo podman images
REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/freeipa/freeipa-server latest 2bedea2a6293 10 days ago 812 MB
Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.
Here is my ipa-ext.conf file. This is the file that is distributed, removing comments and adding a single CIDR range.
acl "trusted_network" { localnets; localhost; 192.168.1.0/24; }; options { allow-recursion {trusted_network;}; allow-query-cache {trusted_network;}; };
Thanks for the report. This is a duplicate of https://pagure.io/freeipa/issue/8287 . We already know about the issue and there is a fix in progress.
Metadata Update from @cheimes: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
PS: This is an excellent bug report and contains all required information. I have closed your bug as duplicate because we are already using the other bug ID to work on a fix.
Login to comment on this ticket.