[Freeipa-users] Disadantages of using external DNS

Thu Dec 13 00:53:52 UTC 2012

On 12/12/2012 12:42 PM, Petr Spacek wrote:
> On 12/12/2012 06:09 PM, Rashard.Kelly at sita.aero wrote:
>> What are the disadvantages of using an external DNS source?
> You have to create and update all records by hand. Generally, it will
> work if you are careful. Also, you will get quest after adding a new
> IPA replica, potentially after adding a host to IPA realm and so on.
>
>
> > My three options
>> are install DNS services on the IPA server,
> That is the best way. It will provide seamless integration for you.
> All records will be created and updated as necessary.
>
>
>> use the local Active Directory
>> DNS, or connect to a linux based DNS appliance.
> Generally, they are external DNS servers. I'm not aware of any big
> differences (from IPA point of view).
>
>
> > Is it common not to use DNS at
>> all if so what are the drawbacks?
> You can run IPA without any DNS, but it will be pain. You have to
> configure each host with address of KDC etc. Generally, you have to
> statically configurure /etc/krb5.conf, /etc/sssd* and others.
>
> We don't support that (in other ways than recommendations). Also,
> configuration without DNS will not work with AD trusts.

We do support it in SSSD 1.9 and IPA 3.0 for IPA client machines. That
was an explicit requirement to allow to use static host definitions and
avoid relying on DNS.
It is just a lot of management burden for someone to use but there are
cases when internal company policies prevent from doing anything more
reasonable.
>
>> My goal is consolidating all local administration of users to a
>> centralized
>> place in our environment. I have been reading the documentation and the
>> mailing list archives, forgive me If I have overlooked this answer.
> I would recommend to add a sub-domain for IPA and let IPA to manage
> this sub domain.
>
> If you are in AD shop "example.com", then you can create sub-domain
> "ipa.example.com" and delegate (via NS+A records) this ipa sub-domain
> from AD server to IPA server with integrated DNS.
>
> Some very basic info can be found in
> https://fedorahosted.org/freeipa/ticket/3268
> specifically
> https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2
>
> Let us know if you need any assistance.
>
>>
>> Thanks,
>> Rashard
>>
>>
>>
>>
>> This document is strictly confidential and intended only for use by the
>> addressee unless otherwise stated. If you are not the intended
>> recipient,
>> please notify the sender immediately and delete it from your system.
> Good joke (on public mailing list) :-D
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/