Hello Stephen, On Fri, Feb 4, 2022 at 1:17 PM Stephen Berg, Code 7309 via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> New-ish ipa-4.9.6 setup on rocky linux 8.5. Initially we just setup the > basic IPA services without DNS. I've started setting up ipa-dns now and > not quite sure what the best way to proceed. > > Hypothetical settings: > > All hosts are set up as: > hostname.domain.com > All hosts have an alias: > hostname.realm.domain.com > > I do not administer the authoritative DNS but I can add and delete > records for the areas I manage. We currently run a few dnsmasq servers > on our subnets with manually managed /etc/hosts on each. I want to > utilize the ipa-dns to take over for our dnsmasq servers. > > I've done the ipa-dns-install, pointed forwarders to our authoritative > DNS servers. What I can't quite wrap my head around is the best way to > proceed from that point? Should I add the zone for the realm version > hostnames and a separate zone for the domain level hostnames? > > Or add one zone and then add a CNAME for the other hostname? Should the > zone I setup be the hostname.realm.domain version or the hostname.domain > version. Or does it really matter much? > > IPA integrated DNS works as an authoritative server. If your IPA DNS server is to be used only by the internal network I'd recommend adding a zone for these hosts, i.e.: int.example.com for the domain example.com. My setup includes an IPA with integrated DNS for the zone int.mydomain.net, and my domain mydomain.net authoritative DNS is managed elsewhere (and I will not bother to redirect anything). All my hosts resolve DNS from my IPA server(s) which forward queries it is not authoritative for. Note that it is small network, with only internal access to IPA servers (no public facing DNS), and very low traffic. IDM integrated DNS server is a bind instance with some limitations, most notably, split-view (split-brain/split-horizon) is not supported. > I do have quite a few hostnames that do not have a realm hostname > setup. They are mostly service ports and won't ever be bound to IPA. > After starting to add some of those I seem to be unable to resolve them > to an IP. > > Hosts don't have to be enrolled to IPA for DNS to be used. That said, I don't think I understood what you meant here. I suppose you have read this, but if you missed it, I'd suggest giving it a try: https://www.freeipa.org/page/DNS HTH, Rafael > -- > Stephen Berg, IT Specialist, Ocean Sciences Division, Code 7309 > Naval Research Laboratory > W: (228) 688-5738 > DSN: (312) 823-5738 > C: (228) 365-0162 > Email: stephen.b...@nrlssc.navy.mil <- (Preferred contact) > Flank Speed: stephen.p.berg....@us.navy.mil > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure