[Freeipa-users] Export DNS to external

[Choudhury, Suhail]

Hi,

We are looking at adding redundancy to our IPA setup by using DNS
servers external to our IPA servers, so in the event of IPA dying we can
still resolve against these external DNS servers.

So I'm looking at how I can add a server running BIND as a DNS slave.

Normally on a DNS slave we can set something like the following in
named.conf:

=========================================

// query-source address * port 53;
allow-transfer {208.99.198.184/32;};
};

//
// a caching only nameserver config
//

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "yourdomain.com" IN {
type slave;
file "/var/named/yourdomain.com.zone";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};

zone "0.168.192.in-addr.arpa" IN {
type slave;
file "/var/named/0.168.192.rev";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};

=========================================

In the IPA server's named.conf I see DNS entries are loaded up via LDAP:

=========================================

include "/etc/named.rfc1912.zones";

dynamic-db "ipa" {
        library "ldap.so";
        arg "uri ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-COM.socket";
        arg "base cn=dns, dc=sub,dc=domain,dc=com";
        arg "fake_mname ipa01.sub.domain.com.";
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "sasl_user DNS/ipa01.sub.domain.com";
        arg "zone_refresh 0";
        arg "psearch yes";
        arg "connections 4";
        arg "serial_autoincrement yes";
};

=========================================

Has anyone successfully pulled DNS zones out of IPA to BIND slaves?

-- 
Regards,
Suhail.
DevOps(Recs), BSkyB.


Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.