[Freeipa-users] Split Horizon DNS config
Petr Spacek
pspacek at redhat.com
Wed May 6 08:06:15 UTC 2015
On 5.5.2015 07:42, Christoph Kaminski wrote:
> Hi
>
> can someone validate this config for bind + split horizon (only the views
> part):
>
> acl internal {
> 127.0.0.1;
> 172.16.0.0/12;
> };
>
> view "internal"
> {
> match-clients { internal; };
> recursion yes;
>
> dynamic-db "ipa" {
> library "ldap.so";
> arg "uri ldapi://%2fvar%2frun%2fslapd-HSO.socket";
>
> arg "base cn=dns, dc=hso";
> arg "fake_mname ipa-2.mgmt.hss.int.";
> arg "auth_method sasl";
> arg "sasl_mech GSSAPI";
> arg "sasl_user DNS/ipa-2.mgmt.hss.int";
> arg "serial_autoincrement yes";
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> };
>
> view "external"
> {
> match-clients { any; };
> recursion yes;
>
> zone "mgmt.hss.int" {
> type master;
> file "mgmt.hss.int.db";
> };
>
> zone "in-addr.arpa" {
> type forward;
> forward only;
> forwarders { 172.16.8.210; };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> };
>
> it works but its a little bit unclean hack IMHO. Bind 9.9 in rhel7.1
> doesnt support 'in-view' thats the reason why I use a the same host but
> the ip from internal acl her:
>
> zone "in-addr.arpa" {
> type forward;
> forward only;
> forwarders { 172.16.8.210; };
> };
>
> is there something what can make problems?
Technically it should work but it is untested. General advice about views is
'do not use them' :-)
It is much cleaner to put internal names in a sub-domain like int.example.com.
(while example.com. is the public-facing domain) and restrict access to this
sub-domain using ACL.
In long term it will make your life much easier when it comes to DNSSEC
validation. Please see
http://www.freeipa.org/page/Deployment_Recommendations#DNS for other related
recommendations.
I hope this helps.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list