[Freeipa-users] IPA managed DNS stub-zones

Sigbjorn Lie sigbjorn at nixtra.com
Sat Jun 9 23:27:19 UTC 2012 

On 06/09/2012 10:23 PM, Dale Macartney wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Evening all
>
> I am trying to set up a stub zone from my IPA domain (example.com) to my
> Windows domain (nt.example.com.
>
> Network details as follows
>
> example.com
> managed by IPA server ds01.example.com 10.0.1.11
>
> nt.example.com
> managed by Win server dc01.nt.example.com 10.0.2.11
>
> I have tried adding the stub zone on the IPA server from the cli and now
> also from the web UI but results are both the same.
>
> When adding the stub zone, IPA seems to think of it as managing the
> entire zone and not pointing it to the remote DNS server. It basically
> add's itself as the SOA.
>
>
>
> see below output from dig. Queries have been run against ds01.example.com
>
> [root at ds01 ~]# dig -t soa example.com
>
> ;<<>>  DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2<<>>  -t soa example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2632
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;example.com.            IN    SOA
>
> ;; ANSWER SECTION:
> example.com.        86400    IN    SOA    ds01.example.com.
> root.ds01.example.com. 2037 3600 900 1209 3600
>
> ;; AUTHORITY SECTION:
> example.com.        86400    IN    NS    ds01.example.com.
>
> ;; ADDITIONAL SECTION:
> ds01.example.com.    86400    IN    A    10.0.1.11
>
> ;; Query time: 0 msec
> ;; SERVER: 10.0.1.11#53(10.0.1.11)
> ;; WHEN: Sat Jun  9 22:13:51 2012
> ;; MSG SIZE  rcvd: 105
>
> [root at ds01 ~]# dig -t soa nt.example.com
>
> ;<<>>  DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2<<>>  -t soa nt.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37259
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;nt.example.com.            IN    SOA
>
> ;; ANSWER SECTION:
> nt.example.com.        86400    IN    SOA    ds01.example.com.
> root.nt.example.com. 2012090601 3600 900 1209600 3600
>
> ;; AUTHORITY SECTION:
> nt.example.com.        86400    IN    NS    dc01.nt.example.com.
>
> ;; Query time: 2 msec
> ;; SERVER: 10.0.1.11#53(10.0.1.11)
> ;; WHEN: Sat Jun  9 22:14:02 2012
> ;; MSG SIZE  rcvd: 97
>
> [root at ds01 ~]#
>
>
> from the cli and webUI there is no way of adding an alternative SOA
> record. I would prefer to keep all DNS attributes inside of LDAP,
> otherwise there isnt much purpose in running both ldap integrated DNS as
> well as standard bind servers. These should ideally be working together.
>
> Does anyone have any recommendations for setting an alternative SOA
> record for a stub zone in IPA? Has anyone encountered this before?
>
> Many thanks
>

Just create nsrecords for "nt" in exampe.com if you are looking to 
delegate the nt.example.com subdomain to another server.

I've never done this with IPA, but this works for bind with files as 
back-end. Provide glue, and then delegate zone:

$ ipa dnsrecord-add example.com dc01.nt --a-rec=10.0.2.11
$ ipa dnsrecord-add example.com nt --ns-rec=dc01.nt.example.com



Rgds,
Siggi

More information about the Freeipa-users mailing list