<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 05/13/2014 09:59 AM, Bob wrote:<br> </div> <blockquote cite="mid:CAE9nUPhNWzh3eQzX-+HGT10HQhbyEnBFo_tcP=cbBu1htBfhnw@mail.gmail.com" type="cite"> <div dir="ltr"> <div>Is there anyway to do a nsupdate of a DNS records in a IPA server using a TSIG key without having a kerberos ticket?<br> <br> </div> We were going to swap out bind in favor of IPA, but we need to be able to nsupdates.<br> </div> <div class="gmail_extra"><br> </div> </blockquote> <br> If you are using IPA you can give you clients keytabs.<br> It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll your clients using ipa-client-install.<br> If you have other operating systems some exploration would be required but it should be doable too.<br> <br> <blockquote cite="mid:CAE9nUPhNWzh3eQzX-+HGT10HQhbyEnBFo_tcP=cbBu1htBfhnw@mail.gmail.com" type="cite"> <div class="gmail_extra"><br> <div class="gmail_quote">On Mon, May 12, 2014 at 10:11 AM, Bob <span dir="ltr"><<a moz-do-not-send="true" href="mailto:harvero@gmail.com" target="_blank">harvero@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"> <div> <div> <div> <div> <div> <div>We use nsupdate to to move the location of some of our services around. For instance there might be two servers that exchange roles, like <a moz-do-not-send="true" href="http://serv.east.abc.com" target="_blank">serv.east.abc.com</a> and <a moz-do-not-send="true" href="http://serv.west.abc.com" target="_blank">serv.west.abc.com</a> and we will have a service name like <a moz-do-not-send="true" href="http://wiki.abc.com" target="_blank">wiki.abc.com</a>. The owner of the application has been given an nsupdate key that allows them to update and delete on the the <a moz-do-not-send="true" href="http://wiki.abc.com" target="_blank">wiki.abc.com</a> and have that records contain either an "A" record for one or the other of the two servers. <br> <br> </div> I am very concerned that there might come a time when the SOA primary master server for this dynamic domain might be down when the application owner needs to do their nsupdate. <br> <br> </div> One observation that we see is that Window AD and DNS make every AD DNS server an SOA for any domain that it servers. That any dynamic DNS update can be serviced by any Domain controller and that this update is replicated with LDAP to the other DCs.<br> <br> </div> It was our hope that we could use IPA for our DNS servers for this dynamic domain. That we would have multiple forward statements from our main DNS servers to the IPA DNS servers and that any IPA server would be the SOA. This way the nsupdate would be processed by any available IPA server in the event that one or more of these IPA DNS servers would be down or unreachable. <br> <br> </div> Is there a way to make each IPA system a SOA for the same domain and still have the DNS records replicate between them?<br> <br> </div> thanks,<br> <br> </div> Bob Harvey<br> </div> </blockquote> </div> <br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>