[Freeipa-users] External DNS and replication

Wimmer Ronald (BCC.B.SO) Ronald.Wimmer at oebb.at
Thu Mar 9 08:04:24 UTC 2017 

From: Martin Basti [mailto:mbasti at redhat.com]
Sent: Mittwoch, 08. März 2017 14:54
To: Wimmer Ronald (BCC.B.SO) <Ronald.Wimmer at oebb.at>; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] External DNS and replication




On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote:
Hi,

I am using FreeIPA with external DNS. Is it ok to balance the requests between master and replica with DNS SRV records like this:

_kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
_kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
_ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net.
_ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net.

_kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
_kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
_ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net.
_ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net.

_kerberos.example.net. 86400 IN TXT "example.net"
Looks good to me


ipa-ca.example.net. 86400 IN A 10.66.39.130

What about the "ipa-ca" entry?

ipa-ca should contain all A/AAAA records of CA replicas

IPA4.4+ support command `ipa dns-update-system-records --dry-run` to get all required records


Regards,
Ronald



Martin

Thank's a lot. In https://access.redhat.com/solutions/98043 RedHat suggest to use same weight and same priority for the SRV records. Does that make sense?

I also noticed that I have no ndp record. Are IPA clients relying on that entry? Do I have to create these manually?

_ntp._udp.example.net.  86400   IN      SRV     10 50 123 ipaserver1.example.net.
_ntp._udp.example.net.  86400   IN      SRV     10 50 123 ipaserver2.example.net.

Ronald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170309/685a56bc/attachment.htm>

More information about the Freeipa-users mailing list