FreeIPA (IdM) integrated DNS server denies recursive query from client networks

Issue

IPA clients from client network cannot resolve DNS records outside IPA domain

[user@ipaclient] # dig @ipaserver1.ipa.example.com redhat.com 
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2923                <=== status is REFUSED
<...>

Corresponding log message is recorded in /var/log/messages:

ipaserver1 named-pkcs11[22529]: client @0x7f5cc80bfa80 192.168.12.34#36429 (redhat.com): query (cache) 'redhat.com/A/IN' denied

Environment

Red Hat Enterprise Linux 8.2 or later
Red Hat Identity Management (IdM) / FreeIPA
- ipa-server-4.8.4 or later
- ipa-server-dns-4.8.4 or later
- bind-pkcs11

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation