Problem
In automated testing of FreeIPA on Fedora 35, we found that upgrading a FreeIPA server with dnssec validation enabled to Fedora 35 may possibly break DNS resolution of hosts in dnssec-enabled domains.
This problem occurs in our automated testing environment, but has not yet been successfully replicated outside it, so it may be specific somehow to that environment.
Related Issues
Bugzilla report: #1999321
Workarounds
If after upgrading a FreeIPA server configured to act as a DNS server to Fedora 35 you find that you have problems when resolving hosts in dnssec-enabled domains, you can try disabling dnssec validation on the server:
ipa-dns-install --disable-dnssec-master