[Freeipa-devel] local DNS zone setup, please review
John Dennis
jdennis at redhat.com
Tue Nov 6 21:11:18 UTC 2007
I set up my own local DNS server to assure the forward and reverse DNS
resolutions worked for my IPA test server, kerberos and possibly other
IPA components will not work if this is not true.
I am not a DNS guru, I muddled my way through it and got something
working, but I'm not 100% I did things the right way. I think having
this reviewed would be good and if it's acceptable I think we might want
to document this in an IPA howto for developers.
* the test server is sitting on a private lan with 192.168.1.0 addresses.
* I named my domain ipatest.jrd (jrd are my initials). I used .jrd to
prevent any conflicts
* I edited /etc/named.conf added these two zones (the zone files are
attached)
zone "ipatest.jrd" IN {
// this is the authoritative server for
// ipatest.jrd info
type master;
file "ipatest.zone";
};
zone "1.168.192.in-addr.arpa" {
// this is the authoritative server for
// the 192.168.1.0 network
type master;
file "revp.192.168.1";
};
* I edited /etc/resolv.conf and replaced the two nameservers which had
been defined there with 'nameserver localhost'
* Back in /etc/named.conf I added:
forwarders {1.2.3.4; 5.6.7.8;};
to the options section with the ip address of the name servers which had
been in resolv.conf (1.2.3.4 and 5.6.7.8 for example here, they are our
internal Red Hat DNS servers and I didn't think I should post those
addresses).
Issues/Questions:
* Is forwarders the correct way to resolve locally first but then defer
to other nameservers? At first I had tried to have my local nameserver
and the existing nameservers in resolv.conf thinking if one failed it
would try the next, but I don't think it works that way, I think the way
it works is it tries the first one in the list and if there is no
response it tries the next. The problem seemed to be that the first one
in the list (localhost) responded with "I don't know" and no other
nameservers were queried. So I added the forwarders to get the local
nameserver to defer elsewhere. By the way, "public" addresses did
resolve without forwarding, the local nameserver contacted the root as
it should, but our Red Hat addresses were not getting resolved because
the Red Hat DNS server was not getting queried. So is that the right way
to handle that?
* I use VPC which wants to write /etc/resolv.conf. I couldn't figure out
how to get VPC not to trash /etc/resolv.conf (there seem to be some
magic environment variables to control this) so in the vpnc init.d
script I just wrote out a new resolv.conf with what I wanted. Yuck, but
it works, there must be a better way.
--
John Dennis <jdennis at redhat.com>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipatest.zone
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071106/e69fdd56/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: revp.192.168.1
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071106/e69fdd56/attachment-0001.ksh>
More information about the Freeipa-devel
mailing list