[Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.
Jacob Evans
email at jacobdevans.com
Wed Dec 7 13:59:58 UTC 2016
Pieter,
If you are comfortable with duplicating your external records internally, you CAN use this domain, however I've always preferred to have internal only and external only domains (we actually register domains externally that are internal use only). so for example, lautus.net is your external domain, for internal you could use a subdomain like ipa.lautus.net or lautus.tech.
Split DNS isn't wrong, but it never makes things easier. your SRV records would only need to be duplicated if your users are @lautus.net and not @ipa.lautus.net or @ad.lautus.net.
I hope this helps, this is all general dns infrastructure, so you could also checkout any other resources on building domain/forest infrastructure recommendations
Good Luck,
Jacob
From: "Pieter Nagel" <pieter at lautus.net>
To: "freeipa-users" <freeipa-users at redhat.com>
Sent: Wednesday, December 7, 2016 8:33:41 AM
Subject: Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.
Thanks, that helps a lot.
Yes and no. What you see with "@ NS ..." is a glue record -- you are
supposed to have a glue record for IPA domain in the upstream domain,
this is how domain delegation works in DNS world.
Except what i saw was the other way around. The FreeIPA server has an NSrecord claiming that it is authoritative the parent domain, but its parent domain is hosted at dnsmadeeasy:
~ dig @ [ http://8.8.8.8/ | 8.8.8.8 ] -t NS [ http://lautus.net/ | lautus.net ]
[ http://lautus.net/ | lautus.net ] . 86399 IN NS [ http://ns15.dnsmadeeasy.com/ | ns15.dnsmadeeasy.com ] .
~ dig @ [ http://8.8.8.8/ | 8.8.8.8 ] -t NS [ http://ipa.lautus.net/ | ipa.lautus.net ]
[ http://ipa.lautus.net/ | ipa.lautus.net ] . 86399 IN NS [ http://ipa-hetzner-cpt4-01.lautus.net/ | ipa-hetzner-cpt4-01.lautus.net ] .
But as far as the FreeIPA DNS is concerned, it is authoritative for everything:
~ dig @ [ http://ipa-hetzner-cpt4-01.lautus.net/ | ipa-hetzner-cpt4-01.lautus.net ] -t NS [ http://lautus.net/ | lautus.net ]
[ http://lautus.net/ | lautus.net ] . 86400 IN NS [ http://ipa-hetzner-cpt4-01.lautus.net/ | ipa-hetzner-cpt4-01.lautus.net ] .
~ dig @ [ http://ipa-hetzner-cpt4-01.lautus.net/ | ipa-hetzner-cpt4-01.lautus.net ] -t NS [ http://ipa.lautus.net/ | ipa.lautus.net ]
[ http://ipa.lautus.net/ | ipa.lautus.net ] . 86400 IN NS [ http://ipa-hetzner-cpt4-01.lautus.net/ | ipa-hetzner-cpt4-01.lautus.net ] .
--
Pieter Nagel
Lautus Solutions (Pty) Ltd
Building 27, The Woodlands, 20 Woodlands Drive, Woodmead, Gauteng
0832587540
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161207/21033ba4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Evans, Jacob.vcf
Type: text/directory
Size: 454 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161207/21033ba4/attachment.bin>
More information about the Freeipa-users
mailing list