[Freeipa-users] DNS SOA Records

Dmitri Pal dpal at redhat.com
Tue May 13 14:04:43 UTC 2014 

On 05/13/2014 09:59 AM, Bob wrote:
> Is there anyway to do a nsupdate of a DNS records in a IPA server 
> using a TSIG key without having a kerberos ticket?
>
> We were going to swap out bind in favor of IPA, but we need to be able 
> to nsupdates.
>

If you are using IPA you can give you clients keytabs.
It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll 
your clients using ipa-client-install.
If you have other operating systems some exploration would be required 
but it should be doable too.

>
> On Mon, May 12, 2014 at 10:11 AM, Bob <harvero at gmail.com 
> <mailto:harvero at gmail.com>> wrote:
>
>     We use nsupdate to to move the location of some of our services
>     around. For instance there might be two servers that exchange
>     roles, like serv.east.abc.com <http://serv.east.abc.com> and
>     serv.west.abc.com <http://serv.west.abc.com>  and we will have a
>     service name like wiki.abc.com <http://wiki.abc.com>. The owner of
>     the application has been given an nsupdate key that allows them to
>     update and delete on the the wiki.abc.com <http://wiki.abc.com>
>     and have that records contain either an "A" record for one or the
>     other of the two servers.
>
>     I am very concerned that there might come a time when the SOA
>     primary master server for this dynamic domain might be down when
>     the application owner needs to do their nsupdate.
>
>     One observation that we see is that Window AD and DNS make every
>     AD DNS server an SOA for any domain that it servers. That any
>     dynamic DNS update can be serviced by any Domain controller and
>     that this update is replicated with LDAP to the other DCs.
>
>     It was our hope that we could use IPA for our DNS servers for this
>     dynamic domain. That we would have multiple forward statements
>     from our main DNS servers to the IPA DNS servers and that any IPA
>     server would be the SOA. This way the nsupdate would be processed
>     by any available IPA server in the event that one or more of these
>     IPA DNS servers would be down or unreachable.
>
>     Is there a way to make each IPA system a SOA for the same domain
>     and still have the DNS records replicate between them?
>
>     thanks,
>
>     Bob Harvey
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140513/5a8fdd29/attachment.htm>

More information about the Freeipa-users mailing list