Skip to main content

FreeIPA DNS workaround for DNS zone [...]. already exists in DNS and is handled by server(s):

10-04-2018 | Remy van Elst | Text only version of this article

Table of Contents

Recently I ran into an issue with FreeIPA when trying to add an existing DNS zone. The zone already exists on the internet so, logically, FreeIPA wouldn't allow me to hijack this domain locally. My usecase is special, so I wanted to forcefully add this zone as a forward zone.

In the web UI of FreeIPA when trying to add this existing zone, the following error appears:

DNS zone already exists in DNS and is handled by server(s):,

This is a logical error since hijacking a domain like this is a bad idea, features like DNSSEC will bite you.

My setup however was different. In this setup, domain was delegated to this environment, but via some tunneling constructions VPSes in this environment would be able to connect internally to the domain. So, I want the FreeIPA system that is also the DNS resolver, to forward queries for to the local internal nameserver in the domain, and not resolving them externally.

FreeIPA wouldn't let me do that via the GUI. Which is IMHO the good option, since you are doing something that normally will break stuff. Using the commandline we can skip this overlap check with the --skip-overlap-check flag:

 ipa dnsforwardzone-add  --skip-overlap-check --forwarder= --forwarder= --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
  Zone name:
  Active zone: TRUE
  Zone forwarders:,
  Forward policy: only

If you do not want to add a forward zone, you can also use this flag to add a regular zone:

ipa dnszone-add --skip-overlap-check --forwarder= --forwarder= --forward-policy=only

Tags: bind  dns  freeipa  network  snippets  traceroute