[Freeipa-devel] local DNS zone setup, please review

John Dennis jdennis at redhat.com
Tue Nov 6 21:11:18 UTC 2007 

I set up my own local DNS server to assure the forward and reverse DNS 
resolutions worked for my IPA test server, kerberos and possibly other 
IPA components will not work if this is not true.

I am not a DNS guru, I muddled my way through it and got something 
working, but I'm not 100% I did things the right way. I think having 
this reviewed would be good and if it's acceptable I think we might want 
to document this in an IPA howto for developers.

* the test server is sitting on a private lan with 192.168.1.0 addresses.

* I named my domain ipatest.jrd (jrd are my initials). I used .jrd to 
prevent any conflicts

* I edited /etc/named.conf added these two zones (the zone files are 
attached)

zone "ipatest.jrd" IN {
   // this is the authoritative server for
   // ipatest.jrd info
   type master;
   file "ipatest.zone";
};

zone "1.168.192.in-addr.arpa" {
   // this is the authoritative server for
   // the 192.168.1.0 network
   type master;
   file "revp.192.168.1";
};

* I edited /etc/resolv.conf and replaced the two nameservers which had 
been defined there with 'nameserver localhost'

* Back in /etc/named.conf I added:

forwarders  {1.2.3.4; 5.6.7.8;};

to the options section with the ip address of the name servers which had 
been in resolv.conf (1.2.3.4 and 5.6.7.8 for example here, they are our 
internal Red Hat DNS servers and I didn't think I should post those 
addresses).

Issues/Questions:

* Is forwarders the correct way to resolve locally first but then defer 
to other nameservers? At first I had tried to have my local nameserver 
and the existing nameservers in resolv.conf thinking if one failed it 
would try the next, but I don't think it works that way, I think the way 
it works is it tries the first one in the list and if there is no 
response it tries the next. The problem seemed to be that the first one 
in the list (localhost) responded with "I don't know" and no other 
nameservers were queried. So I added the forwarders to get the local 
nameserver to defer elsewhere. By the way, "public" addresses did 
resolve without forwarding, the local nameserver contacted the root as 
it should, but our Red Hat addresses were not getting resolved because 
the Red Hat DNS server was not getting queried. So is that the right way 
to handle that?

* I use VPC which wants to write /etc/resolv.conf. I couldn't figure out 
how to get VPC not to trash /etc/resolv.conf (there seem to be some 
magic environment variables to control this) so in the vpnc init.d 
script I just wrote out a new resolv.conf with what I wanted. Yuck, but 
it works, there must be a better way.

-- 
John Dennis <jdennis at redhat.com>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipatest.zone
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071106/e69fdd56/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: revp.192.168.1
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071106/e69fdd56/attachment-0001.ksh>

More information about the Freeipa-devel mailing list