[Freeipa-users] reverse lookup dns records in trust setup

[Petr Spacek]

On 29.6.2015 13:57, John Stein wrote:
> Hi,
> 
> I have an AD and IdM server.
> AD domain - john.com
> IdM domain - linux.john.com
> 
> each spans multiple netwrok segments, with some segments having both linux
> and windows machines.
> 
> the IdM is configured to forward DNS requests to AD (forward first), and
> the AD is configured to forward requests in the linux.john.com domain to
> the IdM.
> 
> However, I'm having a problem regarding reverse lookup zones. Where should
> they be so they can be accessed from both linux and windows machines?

>From DNS's point of view it does not matter, pick one side (AD or IPA) to host
the reverse zone and configure delegation or forwarding on the other side.
That is all you need if you are willing to update records manually.

> If I put them in IdM, how will the AD know which requests to forward to the
> IdM?

Either properly configure delegation (if you have control over the parent
zone) or add forwarder (only if you do not have control over parent zone -
usual caveats for forwarding apply).

> It seems to me that I need to somehow register them at the AD, so the A
> record is in the IdM server and the PTR is in the AD. Is it possible to do
> it automatically, 

"host/" principals from IPA Kerberos realm are generally not allowed to get
tickets for AD realm so automatic update from IPA to AD is not possible.

It might work the other way around (I did not test this):
- Configure reverse zone in IPA
- Configure delegation/forwarding in AD so all clients can properly resolve
the reverse zone
- Allow all clients to update their PTR records. Update policy like this might
work:
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE
krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;'
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1

I would like to hear from you if this works in your environment or not.

Thank you!

-- 
Petr^2 Spacek