[Freeipa-users] DNS SOA Records

[Bob]

Is there anyway to do a nsupdate of a DNS records in a IPA server using a
TSIG key without having a kerberos ticket?

We were going to swap out bind in favor of IPA, but we need to be able to
nsupdates.


On Mon, May 12, 2014 at 10:11 AM, Bob <harvero at gmail.com> wrote:

> We use nsupdate to to move the location of some of our services around.
> For instance there might be two servers that exchange roles, like
> serv.east.abc.com and serv.west.abc.com  and we will have a service name
> like wiki.abc.com. The owner of the application has been given an
> nsupdate key that allows them to update and delete on the the wiki.abc.comand have that records contain either an "A" record for one or the other of
> the two servers.
>
> I am very concerned that there might come a time when the SOA primary
> master server for this dynamic domain might be down when the application
> owner needs to do their nsupdate.
>
> One observation that we see is that Window AD and DNS make every AD DNS
> server an SOA for any domain that it servers. That any dynamic DNS update
> can be serviced by any Domain controller and that this update is replicated
> with LDAP to the other DCs.
>
> It was our hope that we could use IPA for our DNS servers for this dynamic
> domain. That we would have multiple forward statements from our main DNS
> servers to the IPA DNS servers and that any IPA server would be the SOA.
> This way the nsupdate would be processed by any available IPA server in the
> event that one or more of these IPA DNS servers would be down or
> unreachable.
>
> Is there a way to make each IPA system a SOA for the same domain and still
> have the DNS records replicate between them?
>
> thanks,
>
> Bob Harvey
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140513/2d50c761/attachment.htm>