[Freeipa-users] DNS questions
Petr Spacek
pspacek at redhat.com
Mon Apr 13 08:36:51 UTC 2015
Hello!
On 11.4.2015 12:08, Christoph Kaminski wrote:
> have some questions about DNS in IPA...
>
> first some info to our DNS structure:
>
> we have 4 internale domains and a lot of subdomains, for example:
>
> domain:
> ourdom.int
>
> subdomains:
> - mgmt.ourdom.int
> - io.ourdom.int
> - app.ourdom.int
Before we dive into details, please note that you *should not* be using DNS
names which were not delegated to you.
I.e. it is a bad idea to use 'ourdom.int' unless the domain 'ourdom.int' is
really registered to your name.
See http://www.freeipa.org/page/DNS#Caveats
It is going to cause problems when:
- some other company will start using the same name on public Internet
- you will merge with other company using the same name
- DNSSEC validation is enabled (technically you are 'hijacking'/'shadowing'
the name and DNSSEC will detect that)
> Questions:
>
> 1. How we should build the zones in ipa? should each subdomain get a zone?
> I see I can make only one zone for the domain and put there the subdomain
> records to (like myhost.mgmt then it resolvs as myhost.mgmt.ourdom.int)
> What is the right way for this?
Technically this is up to you.
> Is there a difference between the ways?
Zone transfers, access control, and zone delegation are done on zone level.
I.e. smaller zones give you more control over these aspects. It really depends
on your use-case what you prefer.
Technically it is perfectly fine to keep everything in single zone.
> (we got problems with IPA 4.1 to load the zones for domains because our
> IPA server are 'inside' the mgmt subdomain. It was necessary to put a A
> record for the IPA servers into the domain. Example: ipa1.mgmt . Without
> this record the resolving for subdomains has worked but not for the
> domains... With IPA 3.3.3 we didnt have this problem)
I do not fully understand what you mean. Could you described the example in
whole, please?
What exactly was in the non-functional configuration?
What error messages/symptoms did you see?
How did you change the configuration to fix it?
Thank you!
> 2. We have 8 IPA Server here (because all our domains are blackboxes, the
> hosts can communicate only with 2 IPA servers inside the blackbox, IPA
> server can connect each other over a special out of band network). What
> should be inside the NS record of each domain? All IPA servers (the hosts
> inside the blackbox can reach only 2) or only the 2 reachable?
I'm not 100 % sure what you mean by 'blackbox'. Generally NS records should
contain only servers reachable from other parts of the network.
DNS resolvers try to contact servers listed in NS records when querying for
records in given zone. Servers which are not reachable but listed in NS
records will cause to timeouts.
Have a nice day!
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list