[Freeipa-users] Setup of SRV records for new domains
Petr Spacek
pspacek at redhat.com
Mon May 4 13:09:36 UTC 2015
On 4.5.2015 14:59, Brian Topping wrote:
> Ah, thanks! I see what's going on now. That helps a lot.
>
> I think what I was missing was the reluctance for IPA to serve domains
> that are not proper TLDs. I generally maintain internal security domains
> with an invented TLD since they are secure by definition. When I tried
> that today, it was unable to auto discover on this domain and I
> attributed it to the lack of SRV records.
Generally it is better to use 'internal.example.com.' instead of invented
TLDs like 'mytld.'.
FreeIPA can work with 'invented' TLDs if you have properly configured DNS
but it is usually a nightmare. That is the reason why it is strictly
discouraged.
Also, 'invented' TLDs cannot work with DNSSEC validation unless you
distribute trust anchor to every single DNSSEC validator. This is one more
reason for using proper sub-domains instead of invented TLDs.
Let me know if you want to hear mode details about that. Have a nice day!
Petr^2 Spacek
> Brian
>
>> On May 4, 2015, at 3:43 PM, Petr Spacek <pspacek at redhat.com> wrote:
>>
>> On 4.5.2015 10:23, Brian Topping wrote:
>>> On second view, I think my brain misfiled this. Maybe the records
>>> were not set up automatically, another DNS domain I thought had the
>>> records in fact do not.
>>>
>>> As a feature request, it seems like if a domain is added to "Domain
>>> Realms", it should also get the appropriate records for client
>>> autodiscovery.
>>
>> It is actually not necessary to create all the SRV records in all
>> domains.
>>
>> Client auto-discovery is using the TXT record which is added
>> automatically and the _kerberos TXT record is like 'redirect'.
>>
>> The procedure is: - client client1.sub.example.com
>> <http://client1.sub.example.com/>. searches for record
>> _kerberos.sub.example.com <http://kerberos.sub.example.com/> TXT -
>> _kerberos.sub.example.com <http://kerberos.sub.example.com/> TXT
>> contains realm name "EXAMPLE.COM <http://example.com/>" - now the
>> client knows that all the SRV records are inside example.com
>> <http://example.com/>. domain - SRV records from example.com
>> <http://example.com/>. are used from now on
>>
>> AFAIK this is very standard Kerberos behavior so it should work for
>> all standard-compliant clients.
>>
>> Petr^2 Spacek
>>
>>> Cheers, Brian
>>>
>>>> On May 4, 2015, at 3:03 PM, Brian Topping
>>>> <brian.topping at gmail.com> wrote:
>>>>
>>>> I just added a new domain and didn't see the SRV records added for
>>>> it. There is a TXT record, but none of the SRV records that are in
>>>> other DNS domains.
>>>>
>>>> After going to the "Realm Domains tab of the "IPA Server"
>>>> configuration, I see that the new domain was already added there,
>>>> so I removed it and added it back, hoping that might cause the SRV
>>>> records to be added, but no luck.
>>>>
>>>> Any ideas what I should check for?
>>>>
>>>> Thanks, Brian
More information about the Freeipa-users
mailing list