[Freeipa-users] tough one on DNS

[Armstrong, Kenneth Lawrence]

Hi all.

We have IdM set up in a test environment as a subdomain of our Windows domain (so, linux.example.com) with integrated DNS on the IdM server and forwarders going to the AD servers on example.com.   We have on the Windows DNS server the IdM server set up as a conditional forwarder for linux.example.com and an A record in its DNS for the IdM server.

However, on example.com, we have other subdomains that need to be able to communicate with the linux.example.com domain, such as tier1.example.com, tier2.example.com, etc.

What we are trying to figure out is the whole PTR reverse zone bit, mainly due to the fact that the linux.example.com and the example.com reside on the same subnets (and unfortunately, this is a very large network and we can't change that).

For instance, say we have a system at test1.tier2.example.com that needs to make an SSL connection to another system on testA.linux.example.com.  The SSL handshake will fail since the PTR record will resolve to a different domain than what the client is expecting, again due to the fact that the reverse zone is on the same subnet.  The reverse zone on the Windows DNS server would only contain PTR records for all of the domains except linux.example.com, and the IdM server would only contain PTR records for just the linux.example.com systems.

So, obviously, we would not want the IdM server to have a reverse zone, and have it rely on the reverse zone on the Windows DNS server.  Other than manually entering PTR records for all Linux systems under linux.example.com to the reverse zone file on the Windows DNS server, is there another way that we can properly accomplish this?  Would replicating the reverse zone file from the Windows server to the IdM server take care of that?

Thanks.

-Kenny



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130809/b54fbc20/attachment.htm>