Identity Management 4.1 (and later versions) displays a warning message related to DNS forwarders
Since Red Hat Enterprise Linux (RHEL) 7.1, Identity Management tools version 4.1 (the ipa-server and ipa-admintools package) perform DNS protocol compliance tests before accepting addresses of DNS servers as forwarders. The aim of the check is to detect non-compliant servers which may cause operational problems or reduce system security.
These protocol compliance tests are performed when executing the ipa-server-install, ipa-dns-install, ipa-replica-install and ipa dnsconfig commands.
Forwarders do not return DNSSEC signatures in answers
The following message warns the user that server configured as a DNS forwarder is not fully protocol-compliant:
# ipa-replica-install --setup-dns --forwarder=192.0.2.1 -U replica-info-hostname.gpg
Checking forwarders, please wait ...
WARNING: DNS forwarder 192.0.2.1 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
In this case the DNS server with the IP address 192.0.2.1 failed to provide a signed DNS answer for DNS root domain ".". This non-compliant behavior effectively reduces system security because it prevents clients systems from obtaining and validating cryptographic signatures in DNS aswers, which in fact makes DNS answer forgery (spoofing) attacks possible.
An equivalent test can be executed using the dig command-line utility from the bind-utils package:
# dig @192.0.2.1 +dnssec +adflag +cdflag +edns=0 +time=10 +norecurse . NS
The expected output of the dig command is as follows:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50626
;; flags: qr aa; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 25
<...>
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
<...>
. 518400 IN RRSIG NS 8 0 518400 20150327050000 20150317040000 16665 . fGTgHIN5xkNTgE0GZBUE0GAgl4JSnUfGRiMZHf853UuOXLUP0s/X3kAV tvShZ/LLtb01rGVCDcMLDYPQ+7sIzUvgUBMaLdVXLdI/yXdUNk0f3ftE oqE+asJ0j9PZWujzz6kHHnXdtrrKSWYoSXHOOmKTlasF6Se2tJ/o8AFb T90=
Most importantly, the ANSWER SECTION in the output has to contain NS records along with RRSIG records. Missing RRSIG records indicate that the server configured as a forwarder is either non-compliant or misconfigured.
Generally it is sufficient to enable support for the EDNS0 and DNSSEC protocols on the forwarder. It is not required to enable DNSSEC validation on the forwarder for protocol compliance. Please consult your DNS server's documentation for steps how to enable an equivalent to the dnssec-enable yes; option available in BIND 9.9.
Forwarders do not respond
Alternatively, Identity Management tools can display the following error message:
Forwarder 192.0.2.1 does not respond
This message indicates that the DNS forwarder did not provide any NS records in the ANSWER SECTION mentioned above and effectively does not work as a general-purpose forwarder usable for resolving arbitrary DNS names. You can use the dig command above to test the forwarder and check its response.
In cases where the forwarder responds only to a subset of all DNS names please use the ipa dnsforwardzone-add command instead. This command is available when Identity Management server installation is finished. For the purpose of server installation please omit the --forwarder option if necessary.
Some DNS server implementations might not answer to non-recursive queries used in the test. In that case the test could fail even if the forwarder worked. To determine if your DNS server behaves in such a way please run the following modified version of the dig command:
# dig @192.0.2.1 +recurse . NS
Your server is affected if the output of both dig commands differ, and the variant with +recurse contains NS records in the ANSWER section but the variant with the +norecurse option does not contain any NS records.
As a workaround, you can install Identity Management server without specifying the --forwarder option and configure forwarders when the initial installation is done. You can do that by adding forwarder's IP address to the forwarders section in /etc/named.conf:
options {
forward first;
forwarders {
192.0.2.1;
};
};
Comments