[Freeipa-users] External DNS and replication
Martin Basti
mbasti at redhat.com
Thu Mar 9 10:37:24 UTC 2017
On 09.03.2017 09:04, Wimmer Ronald (BCC.B.SO) wrote:
>
> *From:*Martin Basti [mailto:mbasti at redhat.com]
> *Sent:* Mittwoch, 08. März 2017 14:54
> *To:* Wimmer Ronald (BCC.B.SO) <Ronald.Wimmer at oebb.at>;
> freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] External DNS and replication
>
>
>
>
>
>
>
> On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote:
>
> Hi,
>
>
>
> I am using FreeIPA with external DNS. Is it ok to balance the
> requests between master and replica with DNS SRV records like this:
>
>
>
> _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88
> ipa1.example.net.
>
> _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88
> ipa1.example.net.
>
> _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
>
> _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
>
> _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
>
> _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
>
> _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net.
>
> _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net.
>
>
>
> _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88
> ipa2.example.net.
>
> _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88
> ipa2.example.net.
>
> _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
>
> _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
>
> _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
>
> _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
>
> _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net.
>
> _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net.
>
>
>
> _kerberos.example.net. 86400 IN TXT "example.net"
>
> Looks good to me
>
>
> ipa-ca.example.net. 86400 IN A 10.66.39.130
>
>
>
> What about the “ipa-ca” entry?
>
>
> ipa-ca should contain all A/AAAA records of CA replicas
>
> IPA4.4+ support command `ipa dns-update-system-records --dry-run` to
> get all required records
>
>
>
> Regards,
>
> Ronald
>
>
>
>
> Martin
>
>
>
> Thank’s a lot. In https://access.redhat.com/solutions/98043 RedHat
> suggest to use same weight and same priority for the SRV records. Does
> that make sense?
>
Priority should be same, otherwise servers with higher priority will
work only as backups (preferably you should have priority 0).
You can edit weight to distribute more load to beefy servers.
Please note that priority and weight is handled on client side, so it
will work only on clients that are processing SRV with priority and
weight. Some clients may ignore it.
>
>
> I also noticed that I have no ndp record. Are IPA clients relying on
> that entry? Do I have to create these manually?
>
>
>
> _ntp._udp.example.net. 86400 IN SRV 10 50 123
> ipaserver1.example.net.
>
> _ntp._udp.example.net. 86400 IN SRV 10 50 123
> ipaserver2.example.net.
>
It depends on your system configuration on clients. This is basically
used only by ipa-client-install because AFAIK ntp client doesn't support
SRV lookup.
Usually clients have default NTP client configured so it should work.
>
>
> Ronald
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170309/98c952ae/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170309/98c952ae/attachment.sig>
More information about the Freeipa-users
mailing list