I don't know if this is a bug or intended behavior, but if I set those values also in named.conf manually, forwarding of arpa zones works.

I had to do this :
---snip---
forward only;
forwarders { 10.21.0.14; 10.21.0.15; };
---snip---

Previously my file looked like this
---snip ---
forward only;
forwarders { };
---snip---
But that shouldn't have mattered, because the server was properly using the ldap global settings for forwarding regular lookups and overriding the named.conf settings properly.


From: freeipa-users-***@redhat.com [mailto:freeipa-users-***@redhat.com] On Behalf Of Nathan Peters
Sent: January-26-16 6:03 PM
To: freeipa-***@redhat.com
Subject: [Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse lookup zones

I have my FreeIPA server setup with a forward only policy for DNS.

If I perform an nslookup against either of the configured forward servers, I can do a reverse lookup properly.

If I perform the same nslookup against my local server, it will not find the entry.

I have confirmed that there are no conflicting zones or reverse zones on my FreeIPA server.

Tests below :

1. Show forwarding configuration

2. Test lookup against localhost of own domain name (prove we can find records we host as primary)

3. Prove we can do forward lookup on the host that we can't reverse lookup on

4. Reverse lookup fails against localhost

5. Reverse lookup succeeds against forward server 1

6. Reverse lookup succeeds against forward server 2

So... if I am set to always forward, and I don't host this domain (or a parent of it), and I can lookup the server on my forwarded domains,

Then... why can't that query get forwarded properly according to my forwarding settings ?

1. ===========================
[***@dc2-ipa-dev-van ~]# ipa dnsconfig-show
Global forwarders: 10.21.0.15, 10.21.0.14
Forward policy: only
Allow PTR sync: TRUE
2. ===========================
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: dc2-ipa-dev-van.dev-mydomain.net
Address: 10.21.0.98
3. ===========================
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: officedc2.office.mydomain.net
Address: 10.6.60.6
4. ===========================
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find 6.60.6.10.in-addr.arpa: NXDOMAIN
5. ===========================
Default server: 10.21.0.14
Address: 10.21.0.14#53
Server: 10.21.0.14
Address: 10.21.0.14#53

Non-authoritative answer:
6.60.6.10.in-addr.arpa name = officedc2.office.mydomain.net.

Authoritative answers can be found from:
6. ===========================
Default server: 10.21.0.15
Address: 10.21.0.15#53
Server: 10.21.0.15
Address: 10.21.0.15#53

Non-authoritative answer:
6.60.6.10.in-addr.arpa name = officedc2.office.mydomain.net.

Authoritative answers can be found from:

Hello,

I suspect that you hit an an deficiency in bind-dyndb-ldap:
https://fedorahosted.org/bind-dyndb-ldap/ticket/160

I'm working on a fix but it is not ready yet.

Workaround is to add following line to named.conf on all IPA servers:
disable-empty-zone "10.in-addr.arpa.";

Please confirm that it works for you.