IPA DNS DNSSEC causes Global Forwarding to not function

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Identity Management
  • external DNS servers that do not support DNSSEC, are used as global forwarding

Issue

  • IPA Global DNS Forwarder not resolving
  • How to disable DNSSEC in IdM

  • lame-servers.log has

    31-Jan-2023 20:59:58.279 info: no valid RRSIG resolving 'host.external.example.com/DS/IN': 10.0.0.2#53
31-Jan-2023 20:59:59.449 info: insecurity proof failed resolving 'external.example.com/DNSKEY/IN': 10.0.0.2#53

Resolution

The preferred approach is making that external DNS server support DNSSEC.

If above is not practical, this resolution shows how to disable DNSSEC validation in IPA DNS.

Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8, up to 8.1

1. Edit /etc/named.conf and set the dnssec parameters as below:

dnssec-enable no;
dnssec-validation no;

2. Restart named:

# systemctl restart named-pkcs11

Red Hat Enterprise Linux 8.2 or later

1. Edit /etc/named/ipa-options-ext.conf and set the dnssec parameters as below:

dnssec-enable no;
dnssec-validation no;

2. Restart named:

# systemctl restart named-pkcs11

Root Cause

DNSSEC validation is enabled by default.
If external DNS does not implement DNSSEC, its records are unsigned, thus DNSSEC validation failed.
IPA is unable to use those DNS records because validations are required by default.

Diagnostic Steps

no valid DS resolving in /var/log/message

named-pkcs11[2572]: no valid DS resolving 'host.external.example.com/A/IN':  10.0.0.2#53

no valid RRSIG resolving in /var/named/data/lame-server.log

31-Jan-2023 20:59:58.279 info: no valid RRSIG resolving 'host.external.example.com/DS/IN': 10.0.0.2#53
31-Jan-2023 20:59:59.449 info: insecurity proof failed resolving 'external.example.com/DNSKEY/IN': 10.0.0.2#53

(Assuming the global forwording DNS is 10.0.0.2)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

2 Comments

Log in to comment
EM Newbie 10 points
15 January 2022 2:02 PM

On RHEL9 we can't restart named-pkcs11 somehow:

[root@freeipa1 ~]# systemctl restart named-pkcs11
Failed to restart named-pkcs11.service: Unit named-pkcs11.service is masked.
[root@freeipa1 ~]#
DR Community Member 20 points
20 March 2023 9:07 AM

I’m having the same issue in RHEL 9.1. Have you found any solution?