[Freeipa-users] Partial Domain Authority

Petr Spacek pspacek at redhat.com
Wed Apr 9 07:29:06 UTC 2014 

On 9.4.2014 00:06, Simo Sorce wrote:
> On Tue, 2014-04-08 at 16:42 -0500, Justin Brown wrote:
>> I'm sure that I'm doing this very wrong, but I'm wondering if anyone
>> can offer any solutions.
>>
>> I currently have a relatively small domain that's used internally.
>> Let's say fandingo.org. This domain covers various class C networks on
>> 192.168.0.0/16. Currently, there's an Active Directory server that
>> provides internal (and forwarding) DNS for fandingo.org. I'm in the
>> experimentation phase with FreeIPA in this environment and don't want
>> to modify anything outside of FreeIPA for the time being.
>>
>> FreeIPA is setup with DNS and has the fandingo.org domain controllers
>> setup as forwarders. I have my laptop joined to the FreeIPA domain,
>> but that's where the problem starts. I can correctly resolve any
>> *.fandingo.org resource in FreeIPA. The problem is that I want to
>> resolve *.fandingo.org resources that are defined in the Active
>> Directory DNS.
>>
>> Does anyone know how I can configure FreeIPA/BIND to forward all
>> requests (even those for its own domain) that it can't satisfy rather
>> than returning NXDOMAIN?
>
> Is FreeIPA shadowing an AD domain ?
> Ie are the Ad domain and FreeIPA domain using the same domain name ?
>
> That would be bad.
> If you want to manage fadnigo.org in AD it would be a better idea to
> create a ipa.fandingo.org domain for IPA. Then set forwarders *both* way
> (or just delegate the domain from AD), to IPA, so all clients regardless
> of what DNS server are using can resolve both *fandingo.org hosts (via
> AD DNS) and *.ipa.fandingo.org hosts (via FreeIPa DNS).

Let me add that name collisions/domain shadowing cannot be handled by standard 
means.

The name resolution algorithm for authoritative server is standardized here:
http://tools.ietf.org/html/rfc6672#section-3.2

See the end of step 3-C:

     If the "*" label does not exist, check whether the name we
     are looking for is the original QNAME in the query or a name
     we have followed due to a CNAME or DNAME.  If the name is
     original, set an authoritative name error in the response and
     exit.

Simo's proposal is the best thing you can do and it requires minimal changes 
on AD side (i.e. adding 2*(number of IPA servers) of DNS records to AD).

Please see
http://www.freeipa.org/page/Deployment_Recommendations .

Have a nice day!

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list