<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 09.03.2017 09:04, Wimmer Ronald
(BCC.B.SO) wrote:<br>
</div>
<blockquote
cite="mid:97E471CB191D044F9F018C77836CF85B8A03E8E1@ARSEX004.oebb.at"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:windowtext;
mso-fareast-language:DE-AT;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;
mso-fareast-language:DE-AT;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:DE-AT"
lang="EN-US">From:</span></b><span
style="color:windowtext;mso-fareast-language:DE-AT"
lang="EN-US"> Martin Basti [<a class="moz-txt-link-freetext" href="mailto:mbasti@redhat.com">mailto:mbasti@redhat.com</a>]
<br>
<b>Sent:</b> Mittwoch, 08. März 2017 14:54<br>
<b>To:</b> Wimmer Ronald (BCC.B.SO)
<a class="moz-txt-link-rfc2396E" href="mailto:Ronald.Wimmer@oebb.at"><Ronald.Wimmer@oebb.at></a>; <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] External DNS and
replication<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span style="font-size:12.0pt;mso-fareast-language:DE-AT"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 08.03.2017 14:05, Wimmer Ronald
(BCC.B.SO) wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I am using FreeIPA
with external DNS. Is it ok to balance the requests
between master and replica with DNS SRV records like this:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kerberos-master._tcp.example.net.
86400 IN SRV 10 50 88 ipa1.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kerberos-master._udp.example.net.
86400 IN SRV 10 50 88 ipa1.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kerberos._tcp.example.net.
86400 IN SRV 10 50 88 ipa1.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kerberos._udp.example.net.
86400 IN SRV 10 50 88 ipa1.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kpasswd._tcp.example.net.
86400 IN SRV 10 50 464 ipa1.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kpasswd._udp.example.net.
86400 IN SRV 10 50 464 ipa1.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_ldap._tcp.example.net.
86400 IN SRV 10 50 389 ipa1.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_ntp._udp.example.net.
86400 IN SRV 10 50 123 ipa1.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kerberos-master._tcp.example.net.
86400 IN SRV 10 50 88 ipa2.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kerberos-master._udp.example.net.
86400 IN SRV 10 50 88 ipa2.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kerberos._tcp.example.net.
86400 IN SRV 10 50 88 ipa2.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kerberos._udp.example.net.
86400 IN SRV 10 50 88 ipa2.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kpasswd._tcp.example.net.
86400 IN SRV 10 50 464 ipa2.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kpasswd._udp.example.net.
86400 IN SRV 10 50 464 ipa2.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_ldap._tcp.example.net.
86400 IN SRV 10 50 389 ipa2.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_ntp._udp.example.net.
86400 IN SRV 10 50 123 ipa2.example.net.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">_kerberos.example.net.
86400 IN TXT "example.net"</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE-AT">Looks good to
me<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">ipa-ca.example.net.
86400 IN A 10.66.39.130</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">What about the
“ipa-ca” entry? </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE-AT"><br>
ipa-ca should contain all A/AAAA records of CA replicas<br>
<br>
IPA4.4+ support command `ipa dns-update-system-records
--dry-run` to get all required records<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Ronald</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE-AT"><br>
<br>
<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE-AT"><br>
Martin<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:DE-AT"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:DE-AT"
lang="EN-US">Thank’s a lot. In
<a moz-do-not-send="true"
href="https://access.redhat.com/solutions/98043">https://access.redhat.com/solutions/98043</a>
RedHat suggest to use same weight and same priority for the
SRV records. Does that make sense?
</span></p>
</div>
</blockquote>
Priority should be same, otherwise servers with higher priority will
work only as backups (preferably you should have priority 0).<br>
You can edit weight to distribute more load to beefy servers.<br>
<br>
Please note that priority and weight is handled on client side, so
it will work only on clients that are processing SRV with priority
and weight. Some clients may ignore it.<br>
<br>
<blockquote
cite="mid:97E471CB191D044F9F018C77836CF85B8A03E8E1@ARSEX004.oebb.at"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:DE-AT"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:DE-AT"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:DE-AT"
lang="EN-US">I also noticed that I have no ndp record. Are
IPA clients relying on that entry? Do I have to create these
manually?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:DE-AT"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New";color:windowtext;mso-fareast-language:DE-AT"
lang="EN-US">_ntp._udp.example.net. 86400 IN SRV
10 50 123 ipaserver1.example.net.</span><span
style="color:#1F497D;mso-fareast-language:DE-AT"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New";color:windowtext;mso-fareast-language:DE-AT"
lang="EN-US">_ntp._udp.example.net. 86400 IN SRV
10 50 123 ipaserver2.example.net.</span></p>
</div>
</blockquote>
It depends on your system configuration on clients. This is
basically used only by ipa-client-install because AFAIK ntp client
doesn't support SRV lookup.<br>
<br>
Usually clients have default NTP client configured so it should
work.<br>
<br>
<blockquote
cite="mid:97E471CB191D044F9F018C77836CF85B8A03E8E1@ARSEX004.oebb.at"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New";color:windowtext;mso-fareast-language:DE-AT"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:DE-AT"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#1F497D;mso-fareast-language:DE-AT"
lang="EN-US">Ronald<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>