Resolving dnssec-enabled domains may fail after FreeIPA server upgrade to Fedora 35


In automated testing of FreeIPA on Fedora 35, we found that upgrading a FreeIPA server with dnssec validation enabled to Fedora 35 may possibly break DNS resolution of hosts in dnssec-enabled domains.

This problem occurs in our automated testing environment, but has not yet been successfully replicated outside it, so it may be specific somehow to that environment.

Related Issues

Bugzilla report: #1999321


If after upgrading a FreeIPA server configured to act as a DNS server to Fedora 35 you find that you have problems when resolving hosts in dnssec-enabled domains, you can try disabling dnssec validation on the server:

ipa-dns-install --disable-dnssec-master