This page contains DNS and DNSSEC troubleshooting advice. For other issues, refer to the index at Troubleshooting.

Getting logs#

FreeIPA is using BIND as integrated DNS server. If you suspect that something is wrong with your DNS, inspect logs generated by BIND.

Depending on your distribution and FreeIPA version, the logs can be on accessed using three different techniques:

  • $ journalctl -u named-pkcs11

  • $ journalctl -u named

  • file /var/named/data/named.run

Reporting bugs#

Please follow instructions published by bind-dyndb-ldap project.

Kerberos does not work#

From common experience, a great portion of issues with FreeIPA or the Kerberos authentication is caused by DNS misconfiguration. When investigating such issue make sure that:

  • Client forward record is OK both on FreeIPA server and the affected FreeIPA client:

  • Server forward and reverse record is OK both on FreeIPA server and the affected FreeIPA client:

    • Returned hostname must be a fully qualified hostname with a trailing dot, e.g. server.example.com.

  • Check /etc/hosts on the client make sure there is not a wrong server entry or a server entry where the first name is not fully qualified.

named on server does not start#

See article What to do when named with bind-dyndb-ldap cannot start

PTR synchronization does not work#

Most common problems are caused by misconfiguration. Please see article How PTR record synchronization works.

Forward zone does not work#

At first please try following command:

dig @forwarder forwarding.zone.name. SOA

If command above returns NXDOMAIN or SERVFAIL, please check your forwarder.

DNSSEC validation#

  • Do you use TLD domains you don’t own (like .local or .corp)?

  • Do you have dnssec-validation yes; in /etc/named.conf?

  • Does journalctl -u named-pkcs11 show errors about record signatures?

Then DNSSEC validation prevents you from resolving records from the forward zone.

How to fix it:

  • at first please don’t use domains you don’t own (FreeIPA Deployment Recommendations)

  • if you really need those domains, you have to set dnssec-validation no; in /etc/named.conf on all FreeIPA DNS servers (and proceed restart)

missing zone delegation#

Do you have a master zone that is the parent of your forward zone (both on FreeIPA server)? Example:

  • master zone: ipa.freeipa.org.

  • forward zone: others.ipa.freeipa.org.

Please check if master zone contains an NS delegation record and A glue records (HOWTO - Delegate a Sub-domain (a.k.a. subzone)).


$ORIGIN ipa.freeipa.org.
others ``\ **``NS``**\ `` ns.others.ipa.freeipa.org.
ns.others ``\ **``A``**\ ``
ns.others ``\ **``AAAA``**\ `` 2001:db8::1

Without zone delegation all queries are processed by master zone and NXDOMAIN is returned (Forward zones design page).

Forward policy set to none#

Please check your forward policy:

ipa dnsforwardzone-show ipa.freeipa.org.

If forward policy is set to none, forwarding is disabled. Please set first or only as forward-policy to allow forwarding.

DNSSEC signing does not work#

Related information how to use DNSSEC with FreeIPA can be found in DNSSEC howto.

DNSSEC signing is not enabled for the particular zone#

ipa dnszone-show ipa.example

Allow in-line DNSSEC signing: TRUE

Use command ipa dnszone-mod ipa.example --dnssec=1 to enable DNSSEC signing for given zone.

DNSSEC master is not configured#

Verify that one server is configured to be DNSSEC key master. Run following commands on one FreeIPA replica and check that exactly one LDAP entry is printed out:

  • kinit admin

  • ldapsearch -Y GSSAPI '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'

dn: cn=DNSSEC,cn=vm-236.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
objectClass: ipaConfigObject
objectClass: nsContainer
objectClass: top
ipaConfigString: dnssecKeyMaster
ipaConfigString: startOrder 100
ipaConfigString: enabledService

# numEntries: 1
  • If no entry was found, promote one FreeIPA replica to be the DNSSEC key master: ipa-dns-install --dnssec-master

DNSSEC key master services are not running#

Run ipactl status on the DNSSEC key master and check that all services are running: All services should be in state RUNNING except ipa-ods-exporter service which is run only on-demand.

DNS keys are not generated by OpenDNSSEC#

Here we begin with root account on the replica in DNSSEC key master role. First of all switch to user ods so you do not mangle filesystem permissions:

  • sudo -u ods -s /bin/bash

  • source /etc/sysconfig/ods

  • export SOFTHSM2_CONF

Now you can list zones managed by OpenDNSSEC:

  • ods-enforcer zone list (use ods-ksmutil on RHEL 7)

Found Zone: ipa.example; on policy default

If the zone is not in the list, restart ipa-dnskeysyncd service which is responsible for LDAP->OpenDNSSEC synchronization and check its logs if the restart did not help.

If the zone is in the list, verify that DNSSEC keys were generated for the zone. You should see:

  • At least one key with type KSK in state publish or active.

  • At least one key with type ZSK in state active.

  • ods-enforcer key list --verbose (use ods-ksmutil on RHEL 7)

Zone:         Keytype:   State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:     Repository:   Keytag:
ipa.example   ZSK        active    2015-06-03 12:52:07 (retire)   2048    8           623d723...  SoftHSM       60195
ipa.example   KSK        publish   2015-03-06 02:52:07 (ready)    2048    8           60b5ce3...  SoftHSM       6046

Missing keys indicate a problem with OpenDNSSEC or possibly lack of entropy. Check logs for ods-enforcerd service.

DNS keys are stored in local HSM on key master replica#

Verify that keys shown by OpenDNSSEC key list command actually exist in local HSM on the DNSSEC key master replica:

  • sudo -u ods python3 -m ipaserver.dnssec.localhsm (replace python3 with python2 on RHEL 7)

Every CKA_ID has to be listed in twice with boolean parameters shown below. Please ignore other values printed by localhsm command.

zone public keys
{'ipk11label': u'623d723...', 'ipk11verify': True, ...}

zone private keys
{'ipk11label': u'623d723...', 'ipk11sign': True, 'ipk11extractable': True, ...}