[Freeipa-users] IPA DNS forward only is not working
Petr Spacek
pspacek at redhat.com
Tue Nov 27 08:12:50 UTC 2012
Hello once again,
some DNS scenarios are described in
https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v1
It is preliminary version of new text for IPA manual. Please report any errors
and ambiguities.
Petr^2 Spacek
On 11/27/2012 08:47 AM, Petr Spacek wrote:
> Hello,
>
> I will try to summarize your question, please correct me if I'm wrong.
>
> - existing Windows domain: example.com
> - installed IPA domain: example.com (I guess from named.conf)
> - you want to query Windows DNS first and then try to query IPA DNS when
> Windows DNS do not have specific record
>
> Do I understand correctly?
>
>
> From DNS point of view it doesn't make sense. Only single database can be
> authoritative for specific domain. In you case you have to chose if Windows or
> IPA DNS should be authoritative for example.com. There is no
> fallback-if-record-doesn't-exist method. All servers serving particular zone
> have to have exactly same database, i.e. they have to be Windows OR IPA
> replicated servers.
>
> Another problem comes from IPA+Windows installation in the same domain. In can
> theoretically work, but you will lose server auto-detection and ability to
> create trust between AD and IPA. Please don't do that.
>
> It is much better to create sub-domain for AD or IPA, e.g. ipa.example.com.
> Then you will create delegation and glue records in AD DNS (NS+A records in
> example.com) and it will work.
>
>
> If I misunderstood your question please add following information:
> - FreeIPA version
> rpm -q ipa-server
>
> - bind-dyndb-ldap version
> rpm -q bind-dyndb-ldap
>
> - export configuration object cn=dns, dc=example, dc=com from IPA LDAP
>
> - export IPA zone objects idnsname=*, cn=dns, dc=example, dc=com from IPA LDAP
> (i.e. one level under cn=dns, dc=example, dc=com)
>
> Petr^2 Spacek
>
>
>> I have FreeIPA installed on RHEL 6 server. There is an existing windows
> domain and DNS; example.com. I created a FreeIPA domain of example.com. I
> have attempted to configure the "forward first" option in both the DNS Global
> Configuration and the example.com zone configuration. I would like all
> lookups to first point to the forwarder and if it is unable to resolve I want
> it to look at the FreeIPA DNS. As I understand it, the "forward first"
> setting should accomplish this. Unfortunately DNS is behaving as if the
> "forward only" option is enabled as it will resolve addresses outside of the
> FreeIPA example.com domain but will not resolve hosts that are only in the
> FreeIPA example.com domain. I am very new to FreeIPA and would appreciate any
> help that can be provided.
>>
>> Here is my named.conf:
>> options {
>> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
>> listen-on-v6 {any;};
>>
>> // Put files that named is allowed to write in the data/ directory:
>> directory "/var/named"; // the default
>> dump-file "data/cache_dump.db";
>> statistics-file "data/named_stats.txt";
>> memstatistics-file "data/named_mem_stats.txt";
>>
>> forward first;
>> forwarders {
>> 192.168.x.x;
>> };
>>
>> // Any host is permitted to issue recursive queries
>> allow-recursion { any; };
>>
>> tkey-gssapi-credential "DNS/freeipa.example.com";
>> tkey-domain "EXAMPLE.COM";
>> };
>>
>> /* If you want to enable debugging, eg. using the 'rndc trace' command,
>> * By default, SELinux policy does not allow named to modify the /var/named
> directory,
>> * so put the default debug log file in data/ :
>> */
>> logging {
>> channel default_debug {
>> file "data/named.run";
>> severity dynamic;
>> };
>> };
>>
>> zone "." IN {
>> type hint;
>> file "named.ca";
>> };
>>
>> include "/etc/named.rfc1912.zones";
>>
>> dynamic-db "ipa" {
>> library "ldap.so";
>> arg "uri ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket";
>> arg "base cn=dns, dc=example,dc=com";
>> arg "fake_mname freeipa.example.com.";
>> arg "auth_method sasl";
>> arg "sasl_mech GSSAPI";
>> arg "sasl_user DNS/freeipa.example.com";
>> arg "zone_refresh 30";
>> };
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list