[Freeipa-users] DNS SOA Records

Loris Santamaria loris at lgs.com.ve
Tue May 13 17:38:45 UTC 2014 

El mar, 13-05-2014 a las 10:57 -0400, Bob escribió:
> I have many dozens of TSIG keys declared in our current bind. There
> are hundreds of records that have been granted to those keys. All of
> this predates me and I do not know who has these keys. The scope of
> trying to work with the owners of these keys to convert their
> processes to to use kerberos would be a large effort. It was my hope
> to use IPA / IDM to provide multi master DNS, with each server being a
> SOA. But this becomes a lot less desirable as a solution if I have to
> track down our key holders.

You can keep using your TSIG keys with IPA if that is what you're
looking for. Just declare your TSIG keys in your IPA dns "update-policy"
just as you would do with plain bind:

ipa dnszone-mod example.com --update-policy="grant key1. subdomain
a.example.com.; grant key2. name b.example.com.;"

Also in IPA every DNS presents a different SOA, each with the name of
the server being queried, so it can be used as a true multimaster DNS
solution.

Hope this helps



> On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal <dpal at redhat.com> wrote:
>         On 05/13/2014 09:59 AM, Bob wrote:
>         
>         > Is there anyway to do a nsupdate of a DNS records in a IPA
>         > server using a TSIG key without having a kerberos ticket?
>         > 
>         > 
>         > We were going to swap out bind in favor of IPA, but we need
>         > to be able to nsupdates.
>         > 
>         > 
>         > 
>         
>         
>         If you are using IPA you can give you clients keytabs.
>         It is all automatic with RHEL, Fedora, Centos for last 5
>         years. Enroll your clients using ipa-client-install.
>         If you have other operating systems some exploration would be
>         required but it should be doable too.
>         
>         > 
>         > On Mon, May 12, 2014 at 10:11 AM, Bob <harvero at gmail.com>
>         > wrote:
>         >         We use nsupdate to to move the location of some of
>         >         our services around. For instance there might be two
>         >         servers that exchange roles, like serv.east.abc.com
>         >         and serv.west.abc.com  and we will have a service
>         >         name like wiki.abc.com. The owner of the application
>         >         has been given an nsupdate key that allows them to
>         >         update and delete on the the wiki.abc.com and have
>         >         that records contain either an "A" record for one or
>         >         the other of the two servers. 
>         >         
>         >         
>         >         I am very concerned that there might come a time
>         >         when the SOA primary master server for this dynamic
>         >         domain might be down when the application owner
>         >         needs to do their nsupdate.  
>         >         
>         >         
>         >         One observation that we see is that Window AD and
>         >         DNS make every AD DNS server an SOA for any domain
>         >         that it servers. That any dynamic DNS update can be
>         >         serviced by any Domain controller and that this
>         >         update is replicated with LDAP to the other DCs.
>         >         
>         >         
>         >         It was our hope that we could use IPA for our DNS
>         >         servers for this dynamic domain. That we would have
>         >         multiple forward statements from our main DNS
>         >         servers to the IPA DNS servers and that any IPA
>         >         server would be the SOA. This way the nsupdate would
>         >         be processed by any available IPA server in the
>         >         event that one or more of these IPA DNS servers
>         >         would be down or unreachable.    
>         >         
>         >         
>         >         Is there a way to make each IPA system a SOA for the
>         >         same domain and still have the DNS records replicate
>         >         between them?
>         >         
>         >         
>         >         thanks,
>         >         
>         >         
>         >         Bob Harvey
>         >         
>         > 
>         > 
>         > 
>         > 
>         > 
>         > _______________________________________________
>         > Freeipa-users mailing list
>         > Freeipa-users at redhat.com
>         > https://www.redhat.com/mailman/listinfo/freeipa-users
>         
>         
>         -- 
>         Thank you,
>         Dmitri Pal
>         
>         Sr. Engineering Manager IdM portfolio
>         Red Hat, Inc.
>         
>         _______________________________________________
>         Freeipa-users mailing list
>         Freeipa-users at redhat.com
>         https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140513/e18fdd68/attachment.bin>

More information about the Freeipa-users mailing list