<div dir="ltr"><div> On 22.7.2014 15:33, Shashi M wrote: >> I am looking for some help on DNS configuration migraion from AD to FreeIPA. >> >> I am planning implement AD trust in my current freeIPA setup which is >> currently having AD-IPA one way sync. </div><div> >> </div><div> >> New setup, I would also like to mange the DNS throug IPA. Currently unix >> DNS is hosted on Windows AD servers. I will have to import all the existing >> DNS records in freeIPA. >> >> Is it possible to configure freeIPA DNS service as secondary (slave) to >> existing AD DNS servers? >> >> my planned approach to migrate dns is as below >> >> - Setup new IPA servers with DNS for <a href="http://unix.example.com" target="_blank">unix.example.com</a> domain.... >> - Allow zone transfer from AD to freeIPA to populate freeIPA DNS servers >> - Promote freeIPA as primary DNS server and make AD as secondary DNS > FreeIPA cannot be slave of another DNS server (yet :-). You have the option to > use normal zone transfer, convert data from zone file to LDIF and import the > LDIF directly to LDAP. > See <a href="https://fedorahosted.org/bind-dyndb-ldap/wiki/Migration" target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/Migration</a> and let us know if > you need any assistance. > After that you will see all the data in FreeIPA user interface and all FreeIPA > servers will serve the same copy of the data. >> Is this achivable with freeIPA currently? If not is it possible to have >> bind 9 installed on freeIPA server and still DNS be managed by freeIPA? > FreeIPA uses BIND 9 for it's DNS but all data managed by FreeIPA have to be in > LDAP, not in master files. Anyway, the conversion procedure linked above is > pretty straightforward. > Have a nice day! > -- > Petr^2 Spacek Thanks you Petr for promt response! I will try this in test domain and share the oupt in this thread. </div><div>Regards, Shashikant </div></div><div class="gmail_extra"> <div class="gmail_quote">On Tue, Jul 22, 2014 at 4:54 PM, <<a href="mailto:freeipa-users-request@redhat.com" target="_blank">freeipa-users-request@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Freeipa-users mailing list submissions to <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> To subscribe or unsubscribe via the World Wide Web, visit <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> or, via email, send a message with subject or body 'help' to <a href="mailto:freeipa-users-request@redhat.com">freeipa-users-request@redhat.com</a> You can reach the person managing the list at <a href="mailto:freeipa-users-owner@redhat.com">freeipa-users-owner@redhat.com</a> When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: Correct syntax for round-robin DNS srv records (Mark Heslin) 2. Re: Correct syntax for round-robin DNS srv records (Mark Heslin) 3. DNS migration from AD to freeIPA managed DNS (Shashi M) 4. Re: DNS migration from AD to freeIPA managed DNS (Petr Spacek) 5. Mass update IP addresses (KodaK) 6. Re: Correct syntax for round-robin DNS srv records (Petr Spacek) ---------------------------------------------------------------------- Message: 1 Date: Tue, 22 Jul 2014 08:00:50 -0400 From: Mark Heslin <<a href="mailto:mheslin@redhat.com">mheslin@redhat.com</a>> To: Petr Spacek <<a href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>, Martin Basti <<a href="mailto:mbasti@redhat.com">mbasti@redhat.com</a>> Cc: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] Correct syntax for round-robin DNS srv records Message-ID: <<a href="mailto:53CE5272.5040807@redhat.com">53CE5272.5040807@redhat.com</a>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Martin, Petr, I didn't see that missing dot "." - good catch. As always the devil is in the details :-) Two follow up questions: 1. I've set the priority and weighting equally here but I will add a third host so would it make sense to just set both priority and weight to "0" for all three hosts?: # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 0 53 <a href="http://foo1.example.com" target="_blank">foo1.example.com</a>." # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 0 53 <a href="http://foo2.example.com" target="_blank">foo2.example.com</a>." # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 0 53 <a href="http://foo3.example.com" target="_blank">foo3.example.com</a>." 2. To Petr's point about registering the "_foo.tcp" service. By definition this isn't really a true "service" and more like "CNAME with benefits". (Sorry, couldn't resist the bad dating reference ;-)) Do I actually still need to add this to /etc/services? If so, then I'd have to do that for all hosts in the environment, IdM servers, clients, etc., correct? Truth be told, this is just being used for an alternative to a true h/w, s/w load balancer for demonstration purposes so I'm sure adding it to the services file makes sense. Thank you both! -m On 07/22/2014 03:16 AM, Petr Spacek wrote: > On 22.7.2014 00:13, Mark Heslin wrote: >> Hi All, >> >> I had some off-list exchanges with Petr Spacek on this but am still >> trying to >> work out the correct syntax. >> I have 2 hosts: >> >> - <a href="http://foo1.example.com" target="_blank">foo1.example.com</a> >> - <a href="http://foo2.example.com" target="_blank">foo2.example.com</a> >> >> and would like to create a round-robin DNS srv record for both called >> <a href="http://foo.example.com" target="_blank">foo.example.com</a> >> >> I already have DNS entries for both hosts in IPA: >> >> # ipa dnsrecord-show <a href="http://example.com" target="_blank">example.com</a> foo1 >> Record name: foo1 >> A record: 10.0.0.1 >> # ipa dnsrecord-show <a href="http://example.com" target="_blank">example.com</a> foo2 >> Record name: foo2 >> A record: 10.0.0.2 >> >> I'd like to get the correct syntax for adding the srv record for foo. >> My understanding is that it should be something like this: >> >> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 >> <a href="http://foo1.example.com" target="_blank">foo1.example.com</a>" >> Record name: _foo.tcp >> SRV record: 0 50 53 <a href="http://foo1.example.com" target="_blank">foo1.example.com</a> >> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 >> <a href="http://foo2.example.com" target="_blank">foo2.example.com</a>" >> Record name: _foo.tcp >> SRV record: 0 50 53 <a href="http://foo2.example.com" target="_blank">foo2.example.com</a> >> >> which seemed to be added ok but on second glance I think not: >> >> # host -t srv _<a href="http://foo.tcp.example.com" target="_blank">foo.tcp.example.com</a> >> _foo.tcp..<a href="http://example.com" target="_blank">example.com</a> has SRV record 0 50 53 >> <a href="http://foo1.example.com.example.com" target="_blank">foo1.example.com.example.com</a>. >> _foo.tcp..<a href="http://example.com" target="_blank">example.com</a> has SRV record 0 50 53 >> <a href="http://foo2.example.com.example.com" target="_blank">foo2.example.com.example.com</a>. >> >> In looking over the description of rfc2782 >> <<a href="http://en.wikipedia.org/wiki/SRV_record" target="_blank">http://en.wikipedia.org/wiki/SRV_record</a>> it appears the IPA syntax is a >> little different, > > I don't think so :-) > > Please note the trailing dot in "target" part of > <a href="http://en.wikipedia.org/wiki/SRV_record#Record_format" target="_blank">http://en.wikipedia.org/wiki/SRV_record#Record_format</a>. > > IPA behaves in the same way as BIND 9: All domain names without > trailing dot are automatically extended with zone origin, i.e. > "<a href="http://example.com" target="_blank">example.com</a>.". > > You have two options: > # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 foo1" (DNS > server will automatically append "<a href="http://example.com" target="_blank">example.com</a>.") > > or > > # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 > <a href="http://foo1.example.com" target="_blank">foo1.example.com</a>." > (please note the trailing dot) > > > > Another note is about "_foo". "foo" should be "service name" according to > <a href="http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml" target="_blank">http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml</a> > > > It will probably not cause any problems if you invent your own name > (preferably prefixed with x- to avoid collisions in future, e.g. > "_x-foo"), but it will not hurt you if you register your protocol into > the registry :-) > See <a href="http://tools.ietf.org/html/rfc6335" target="_blank">http://tools.ietf.org/html/rfc6335</a> > >> and the documentation is scarce so admittedly I'm taking a swag at >> this ;-) >> >> I can do this fine without srv but don't have enough familiarity with >> DNS srv >> here. >> Can anyone help clarify what I'm missing? I'd like to have equal >> weighting, >> priority >> to both hosts - I'm assuming the port (53) is correct for DNS here as >> well. > What are you trying to achieve? The port number refers to port used by > your application, not to DNS. > -- Red Hat Reference Architectures Follow Us: <a href="https://twitter.com/RedHatRefArch" target="_blank">https://twitter.com/RedHatRefArch</a> Plus Us: <a href="https://plus.google.com/u/0/b/114152126783830728030/" target="_blank">https://plus.google.com/u/0/b/114152126783830728030/</a> Like Us: <a href="https://www.facebook.com/rhrefarch" target="_blank">https://www.facebook.com/rhrefarch</a> ------------------------------ Message: 2 Date: Tue, 22 Jul 2014 08:06:42 -0400 From: Mark Heslin <<a href="mailto:mheslin@redhat.com">mheslin@redhat.com</a>> To: Petr Spacek <<a href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>, Martin Basti <<a href="mailto:mbasti@redhat.com">mbasti@redhat.com</a>> Cc: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] Correct syntax for round-robin DNS srv records Message-ID: <<a href="mailto:53CE53D2.8090906@redhat.com">53CE53D2.8090906@redhat.com</a>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 07/22/2014 08:00 AM, Mark Heslin wrote: > Martin, Petr, > > I didn't see that missing dot "." - good catch. As always the devil is > in the details :-) > > Two follow up questions: > > 1. I've set the priority and weighting equally here but I will add a > third host > so would it make sense to just set both priority and weight to > "0" for all three hosts?: > > # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 0 53 > <a href="http://foo1.example.com" target="_blank">foo1.example.com</a>." > # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 0 53 > <a href="http://foo2.example.com" target="_blank">foo2.example.com</a>." > # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 0 53 > <a href="http://foo3.example.com" target="_blank">foo3.example.com</a>." > > 2. To Petr's point about registering the "_foo.tcp" service. By > definition this isn't really > a true "service" and more like "CNAME with benefits". (Sorry, > couldn't resist the bad dating reference ;-)) > Do I actually still need to add this to /etc/services? If so, > then I'd have to do that for > all hosts in the environment, IdM servers, clients, etc., correct? > > Truth be told, this is just being used for an alternative to a > true h/w, s/w load balancer > for demonstration purposes so I'm sure adding it to the services > file makes sense. Gah! I meant to say I'm *not* sure adding it to the services file makes sense. > > Thank you both! > > -m > > > > > On 07/22/2014 03:16 AM, Petr Spacek wrote: >> On 22.7.2014 00:13, Mark Heslin wrote: >>> Hi All, >>> >>> I had some off-list exchanges with Petr Spacek on this but am still >>> trying to >>> work out the correct syntax. >>> I have 2 hosts: >>> >>> - <a href="http://foo1.example.com" target="_blank">foo1.example.com</a> >>> - <a href="http://foo2.example.com" target="_blank">foo2.example.com</a> >>> >>> and would like to create a round-robin DNS srv record for both called >>> <a href="http://foo.example.com" target="_blank">foo.example.com</a> >>> >>> I already have DNS entries for both hosts in IPA: >>> >>> # ipa dnsrecord-show <a href="http://example.com" target="_blank">example.com</a> foo1 >>> Record name: foo1 >>> A record: 10.0.0.1 >>> # ipa dnsrecord-show <a href="http://example.com" target="_blank">example.com</a> foo2 >>> Record name: foo2 >>> A record: 10.0.0.2 >>> >>> I'd like to get the correct syntax for adding the srv record for foo. >>> My understanding is that it should be something like this: >>> >>> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 >>> <a href="http://foo1.example.com" target="_blank">foo1.example.com</a>" >>> Record name: _foo.tcp >>> SRV record: 0 50 53 <a href="http://foo1.example.com" target="_blank">foo1.example.com</a> >>> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 >>> <a href="http://foo2.example.com" target="_blank">foo2.example.com</a>" >>> Record name: _foo.tcp >>> SRV record: 0 50 53 <a href="http://foo2.example.com" target="_blank">foo2.example.com</a> >>> >>> which seemed to be added ok but on second glance I think not: >>> >>> # host -t srv _<a href="http://foo.tcp.example.com" target="_blank">foo.tcp.example.com</a> >>> _foo.tcp..<a href="http://example.com" target="_blank">example.com</a> has SRV record 0 50 53 >>> <a href="http://foo1.example.com.example.com" target="_blank">foo1.example.com.example.com</a>. >>> _foo.tcp..<a href="http://example.com" target="_blank">example.com</a> has SRV record 0 50 53 >>> <a href="http://foo2.example.com.example.com" target="_blank">foo2.example.com.example.com</a>. >>> >>> In looking over the description of rfc2782 >>> <<a href="http://en.wikipedia.org/wiki/SRV_record" target="_blank">http://en.wikipedia.org/wiki/SRV_record</a>> it appears the IPA syntax >>> is a >>> little different, >> >> I don't think so :-) >> >> Please note the trailing dot in "target" part of >> <a href="http://en.wikipedia.org/wiki/SRV_record#Record_format" target="_blank">http://en.wikipedia.org/wiki/SRV_record#Record_format</a>. >> >> IPA behaves in the same way as BIND 9: All domain names without >> trailing dot are automatically extended with zone origin, i.e. >> "<a href="http://example.com" target="_blank">example.com</a>.". >> >> You have two options: >> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 foo1" >> (DNS server will automatically append "<a href="http://example.com" target="_blank">example.com</a>.") >> >> or >> >> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 >> <a href="http://foo1.example.com" target="_blank">foo1.example.com</a>." >> (please note the trailing dot) >> >> >> >> Another note is about "_foo". "foo" should be "service name" >> according to >> <a href="http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml" target="_blank">http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml</a> >> >> >> It will probably not cause any problems if you invent your own name >> (preferably prefixed with x- to avoid collisions in future, e.g. >> "_x-foo"), but it will not hurt you if you register your protocol >> into the registry :-) >> See <a href="http://tools.ietf.org/html/rfc6335" target="_blank">http://tools.ietf.org/html/rfc6335</a> >> >>> and the documentation is scarce so admittedly I'm taking a swag at >>> this ;-) >>> >>> I can do this fine without srv but don't have enough familiarity >>> with DNS srv >>> here. >>> Can anyone help clarify what I'm missing? I'd like to have equal >>> weighting, >>> priority >>> to both hosts - I'm assuming the port (53) is correct for DNS here >>> as well. >> What are you trying to achieve? The port number refers to port used >> by your application, not to DNS. >> > > -- Red Hat Reference Architectures Follow Us: <a href="https://twitter.com/RedHatRefArch" target="_blank">https://twitter.com/RedHatRefArch</a> Plus Us: <a href="https://plus.google.com/u/0/b/114152126783830728030/" target="_blank">https://plus.google.com/u/0/b/114152126783830728030/</a> Like Us: <a href="https://www.facebook.com/rhrefarch" target="_blank">https://www.facebook.com/rhrefarch</a> ------------------------------ Message: 3 Date: Tue, 22 Jul 2014 14:33:28 +0100 From: Shashi M <<a href="mailto:svm2k20@gmail.com">svm2k20@gmail.com</a>> To: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: [Freeipa-users] DNS migration from AD to freeIPA managed DNS Message-ID: <<a href="mailto:CAEouxn_pPv%2BksJGOFZQg%2BCU%2BsO7tuNx_nRqi81H2UrvKUEPquQ@mail.gmail.com">CAEouxn_pPv+ksJGOFZQg+CU+sO7tuNx_nRqi81H2UrvKUEPquQ@mail.gmail.com</a>> Content-Type: text/plain; charset="utf-8" Hi All, I am looking for some help on DNS configuration migraion from AD to FreeIPA. I am planning implement AD trust in my current freeIPA setup which is currently having AD-IPA one way sync. New setup, I would also like to mange the DNS throug IPA. Currently unix DNS is hosted on Windows AD servers. I will have to import all the existing DNS records in freeIPA. Is it possible to configure freeIPA DNS service as secondary (slave) to existing AD DNS servers? my planned approach to migrate dns is as below - Setup new IPA servers with DNS for <a href="http://unix.example.com" target="_blank">unix.example.com</a> domain.... - Allow zone transfer from AD to freeIPA to populate freeIPA DNS servers - Promote freeIPA as primary DNS server and make AD as secondary DNS Is this achivable with freeIPA currently? If not is it possible to have bind 9 installed on freeIPA server and still DNS be managed by freeIPA? Regards, Shashikant -------------- next part -------------- An HTML attachment was scrubbed... URL: <<a href="https://www.redhat.com/archives/freeipa-users/attachments/20140722/ebea6d3d/attachment.html" target="_blank">https://www.redhat.com/archives/freeipa-users/attachments/20140722/ebea6d3d/attachment.html</a>> ------------------------------ Message: 4 Date: Tue, 22 Jul 2014 17:01:18 +0200 From: Petr Spacek <<a href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>> To: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] DNS migration from AD to freeIPA managed DNS Message-ID: <<a href="mailto:53CE7CBE.8000205@redhat.com">53CE7CBE.8000205@redhat.com</a>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 22.7.2014 15:33, Shashi M wrote: > I am looking for some help on DNS configuration migraion from AD to FreeIPA. > > I am planning implement AD trust in my current freeIPA setup which is > currently having AD-IPA one way sync. > > New setup, I would also like to mange the DNS throug IPA. Currently unix > DNS is hosted on Windows AD servers. I will have to import all the existing > DNS records in freeIPA. > > Is it possible to configure freeIPA DNS service as secondary (slave) to > existing AD DNS servers? > > my planned approach to migrate dns is as below > > - Setup new IPA servers with DNS for <a href="http://unix.example.com" target="_blank">unix.example.com</a> domain.... > - Allow zone transfer from AD to freeIPA to populate freeIPA DNS servers > - Promote freeIPA as primary DNS server and make AD as secondary DNS FreeIPA cannot be slave of another DNS server (yet :-). You have the option to use normal zone transfer, convert data from zone file to LDIF and import the LDIF directly to LDAP. See <a href="https://fedorahosted.org/bind-dyndb-ldap/wiki/Migration" target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/Migration</a> and let us know if you need any assistance. After that you will see all the data in FreeIPA user interface and all FreeIPA servers will serve the same copy of the data. > Is this achivable with freeIPA currently? If not is it possible to have > bind 9 installed on freeIPA server and still DNS be managed by freeIPA? FreeIPA uses BIND 9 for it's DNS but all data managed by FreeIPA have to be in LDAP, not in master files. Anyway, the conversion procedure linked above is pretty straightforward. Have a nice day! -- Petr^2 Spacek ------------------------------ Message: 5 Date: Tue, 22 Jul 2014 10:04:07 -0500 From: KodaK <<a href="mailto:sakodak@gmail.com">sakodak@gmail.com</a>> To: "<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> Subject: [Freeipa-users] Mass update IP addresses Message-ID: <<a href="mailto:CAA9J0ZH8MkL4N55TK-MhHw2UbK-EtxmhJrLpp4UXPKAZXT161w@mail.gmail.com">CAA9J0ZH8MkL4N55TK-MhHw2UbK-EtxmhJrLpp4UXPKAZXT161w@mail.gmail.com</a>> Content-Type: text/plain; charset="utf-8" For various reasons, I need to move a lot of my IPA clients to a different subnet. I'd like to automate this as much as possible. My initial thought is to use a combination of puppet and ipa commands, but I wanted to see if anyone had any advice. Anything I should watch out for in IPA? I know that's vague, but I'm just seeking general advice. Thanks, --Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: <<a href="https://www.redhat.com/archives/freeipa-users/attachments/20140722/947bd0f9/attachment.html" target="_blank">https://www.redhat.com/archives/freeipa-users/attachments/20140722/947bd0f9/attachment.html</a>> ------------------------------ Message: 6 Date: Tue, 22 Jul 2014 17:54:36 +0200 From: Petr Spacek <<a href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>> To: Mark Heslin <<a href="mailto:mheslin@redhat.com">mheslin@redhat.com</a>>, Martin Basti <<a href="mailto:mbasti@redhat.com">mbasti@redhat.com</a>> Cc: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] Correct syntax for round-robin DNS srv records Message-ID: <<a href="mailto:53CE893C.4090807@redhat.com">53CE893C.4090807@redhat.com</a>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 22.7.2014 14:06, Mark Heslin wrote: > On 07/22/2014 08:00 AM, Mark Heslin wrote: >> Martin, Petr, >> >> I didn't see that missing dot "." - good catch. As always the devil is in >> the details :-) >> >> Two follow up questions: >> >> 1. I've set the priority and weighting equally here but I will add a third >> host >> so would it make sense to just set both priority and weight to "0" for >> all three hosts?: >> >> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 0 53 >> <a href="http://foo1.example.com" target="_blank">foo1.example.com</a>." >> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 0 53 >> <a href="http://foo2.example.com" target="_blank">foo2.example.com</a>." >> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 0 53 >> <a href="http://foo3.example.com" target="_blank">foo3.example.com</a>." >> >> 2. To Petr's point about registering the "_foo.tcp" service. By definition >> this isn't really >> a true "service" and more like "CNAME with benefits". (Sorry, couldn't >> resist the bad dating reference ;-)) >> Do I actually still need to add this to /etc/services? If so, then I'd >> have to do that for >> all hosts in the environment, IdM servers, clients, etc., correct? >> >> Truth be told, this is just being used for an alternative to a true >> h/w, s/w load balancer >> for demonstration purposes so I'm sure adding it to the services file >> makes sense. > > Gah! I meant to say I'm *not* sure adding it to the services file makes sense. For test purposes you can use whatever, preferably something like "_x-test". No modification to /etc/services is necessary. AFAIK /etc/services just allows clients to translate service name to port number but this will not be used anyway because clients will get port number from DNS. Petr^2 Spacek >> Thank you both! >> >> -m >> >> >> >> >> On 07/22/2014 03:16 AM, Petr Spacek wrote: >>> On 22.7.2014 00:13, Mark Heslin wrote: >>>> Hi All, >>>> >>>> I had some off-list exchanges with Petr Spacek on this but am still trying to >>>> work out the correct syntax. >>>> I have 2 hosts: >>>> >>>> - <a href="http://foo1.example.com" target="_blank">foo1.example.com</a> >>>> - <a href="http://foo2.example.com" target="_blank">foo2.example.com</a> >>>> >>>> and would like to create a round-robin DNS srv record for both called >>>> <a href="http://foo.example.com" target="_blank">foo.example.com</a> >>>> >>>> I already have DNS entries for both hosts in IPA: >>>> >>>> # ipa dnsrecord-show <a href="http://example.com" target="_blank">example.com</a> foo1 >>>> Record name: foo1 >>>> A record: 10.0.0.1 >>>> # ipa dnsrecord-show <a href="http://example.com" target="_blank">example.com</a> foo2 >>>> Record name: foo2 >>>> A record: 10.0.0.2 >>>> >>>> I'd like to get the correct syntax for adding the srv record for foo. >>>> My understanding is that it should be something like this: >>>> >>>> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 >>>> <a href="http://foo1.example.com" target="_blank">foo1.example.com</a>" >>>> Record name: _foo.tcp >>>> SRV record: 0 50 53 <a href="http://foo1.example.com" target="_blank">foo1.example.com</a> >>>> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 >>>> <a href="http://foo2.example.com" target="_blank">foo2.example.com</a>" >>>> Record name: _foo.tcp >>>> SRV record: 0 50 53 <a href="http://foo2.example.com" target="_blank">foo2.example.com</a> >>>> >>>> which seemed to be added ok but on second glance I think not: >>>> >>>> # host -t srv _<a href="http://foo.tcp.example.com" target="_blank">foo.tcp.example.com</a> >>>> _foo.tcp..<a href="http://example.com" target="_blank">example.com</a> has SRV record 0 50 53 <a href="http://foo1.example.com.example.com" target="_blank">foo1.example.com.example.com</a>. >>>> _foo.tcp..<a href="http://example.com" target="_blank">example.com</a> has SRV record 0 50 53 <a href="http://foo2.example.com.example.com" target="_blank">foo2.example.com.example.com</a>. >>>> >>>> In looking over the description of rfc2782 >>>> <<a href="http://en.wikipedia.org/wiki/SRV_record" target="_blank">http://en.wikipedia.org/wiki/SRV_record</a>> it appears the IPA syntax is a >>>> little different, >>> >>> I don't think so :-) >>> >>> Please note the trailing dot in "target" part of >>> <a href="http://en.wikipedia.org/wiki/SRV_record#Record_format" target="_blank">http://en.wikipedia.org/wiki/SRV_record#Record_format</a>. >>> >>> IPA behaves in the same way as BIND 9: All domain names without trailing >>> dot are automatically extended with zone origin, i.e. "<a href="http://example.com" target="_blank">example.com</a>.". >>> >>> You have two options: >>> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 foo1" (DNS >>> server will automatically append "<a href="http://example.com" target="_blank">example.com</a>.") >>> >>> or >>> >>> # ipa dnsrecord-add <a href="http://example.com" target="_blank">example.com</a> _foo.tcp --srv-rec="0 50 53 <a href="http://foo1.example.com" target="_blank">foo1.example.com</a>." >>> (please note the trailing dot) >>> >>> >>> >>> Another note is about "_foo". "foo" should be "service name" according to >>> <a href="http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml" target="_blank">http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml</a> >>> >>> >>> It will probably not cause any problems if you invent your own name >>> (preferably prefixed with x- to avoid collisions in future, e.g. "_x-foo"), >>> but it will not hurt you if you register your protocol into the registry :-) >>> See <a href="http://tools.ietf.org/html/rfc6335" target="_blank">http://tools.ietf.org/html/rfc6335</a> >>> >>>> and the documentation is scarce so admittedly I'm taking a swag at this ;-) >>>> >>>> I can do this fine without srv but don't have enough familiarity with DNS srv >>>> here. >>>> Can anyone help clarify what I'm missing? I'd like to have equal weighting, >>>> priority >>>> to both hosts - I'm assuming the port (53) is correct for DNS here as well. >>> What are you trying to achieve? The port number refers to port used by your >>> application, not to DNS. ------------------------------ _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> End of Freeipa-users Digest, Vol 72, Issue 66 ********************************************* </blockquote></div> </div>