FreeIPA (IdM) DNS fails resolving forward zones: broken trust chain resolving
Issue
-
FreeIPA (IdM) DNS server cannot resolve a Active Directory (AD) zone configured in dns forwarding zone. Below error message appears in
/var/log/messages:Sep 15 10:01:00 idm1 named-pkcs11[1006]: validating example.com/SOA: bad cache hit (internal/DS) Sep 15 10:01:00 idm1 named-pkcs11[1006]: broken trust chain resolving 'example.com/A/IN': 192.168.12.34#53 -
The same DNS zone can be resolved by querying directly to the remote AD DNS server via
digornslookup
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Identity Management (IdM) / FreeIPA
- ipa-server-dns
- bind-pkcs11
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
