[Freeipa-users] ipa-dns-install on a remote host?

[Petr Spacek]

On 5.7.2013 17:59, Schmitt, Christian wrote:
> Yeah i know that feature, but when i have a View i need to declare two
> zonefiles (i need to create one by hand and the other will getting created
> by the ipa-dns) thats not exactly what i'm looking for since some sites
> shall be the same on both sites, like domain.tld and www.domain.tld are the
> same on both sites. but domain.tld is also a freeipa domain and
> intra.domain.tld should only be routed through clients but stash.domain.tld
> and jira.domain.tld should have both so that it is accessible through the
> internet but the local clients should use the local ips.
> isn't there a delegate like feature? or even a feature in freeipa that lets
> me delegate some entries only to internal hosts.
>
>
> 2013/7/5 Anthony Messina <amessina at messinet.com>
>
>> On Friday, July 05, 2013 04:18:37 PM Schmitt, Christian wrote:
>>> Btw. are there any tips by having a second nameserver (public) that just
>>> gives out the important/public hosts? Or is there a good way in having a
>>> domain configured twice? like the internal ip for ipa-users and the
>>> external ip for the people outside of the internal firewall?
>>
>> Unrelated to FreeIPA, BIND has support for views, which may accomplish this
>> task for you:
>> http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409

Hello,

FreeIPA doesn't support BIND views.

The simplest way how to serve some records only to internal network but not to 
the public Internet is this:
1. create public zone example.com, fill it with shared (public + internal) records
2. create internal zone 'in.example.com', configure zone delegation from 
example.com (NS+A records), add 'internal only' records
3. configure internal zone 'in.example.com' to accept queries only from 
internal network ($ ipa dnszone-mod in.example.com --allow-query='192.0.2.0/24;')

I believe that this solves the basic use case.

-- 
Petr^2 Spacek