Hello Stephen,

On Fri, Feb 4, 2022 at 1:17 PM Stephen Berg, Code 7309 via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> New-ish ipa-4.9.6 setup on rocky linux 8.5. Initially we just setup the
> basic IPA services without DNS.  I've started setting up ipa-dns now and
> not quite sure what the best way to proceed.
>
> Hypothetical settings:
>
> All hosts are set up as:
>      hostname.domain.com
> All hosts have an alias:
>      hostname.realm.domain.com
>
> I do not administer the authoritative DNS but I can add and delete
> records for the areas I manage.  We currently run a few dnsmasq servers
> on our subnets with manually managed /etc/hosts on each.  I want to
> utilize the ipa-dns to take over for our dnsmasq servers.
>
> I've done the ipa-dns-install, pointed forwarders to our authoritative
> DNS servers.  What I can't quite wrap my head around is the best way to
> proceed from that point?  Should I add the zone for the realm version
> hostnames and a separate zone for the domain level hostnames?
>
>
Or add one zone and then add a CNAME for the other hostname? Should the
> zone I setup be the hostname.realm.domain version or the hostname.domain
> version.  Or does it really matter much?
>
>
IPA integrated DNS works as an authoritative server. If your IPA DNS server
is
to be used only by the internal network I'd recommend adding a zone for
these
hosts, i.e.: int.example.com for the domain example.com.

My setup includes an IPA with integrated DNS for the zone int.mydomain.net,
and my domain mydomain.net authoritative DNS is managed elsewhere (and
I will not bother to redirect anything). All my hosts resolve DNS from my
IPA
server(s) which forward queries it is not authoritative for. Note that it
is small
network, with only internal access to IPA servers (no public facing DNS),
and
very low traffic.

IDM integrated DNS server is a bind instance with some limitations, most
notably, split-view (split-brain/split-horizon) is not supported.


> I do have quite a few hostnames that do not have a realm hostname
> setup.  They are mostly service ports and won't ever be bound to IPA.
> After starting to add some of those I seem to be unable to resolve them
> to an IP.
>
>
Hosts don't have to be enrolled to IPA for DNS to be used. That said, I
don't think I understood what you meant here.

I suppose you have read this, but if you missed it, I'd suggest giving it a
try:
    https://www.freeipa.org/page/DNS

HTH,

Rafael


> --
> Stephen Berg, IT Specialist, Ocean Sciences Division, Code 7309
> Naval Research Laboratory
> W:   (228) 688-5738
> DSN: (312) 823-5738
> C:   (228) 365-0162
> Email: stephen.b...@nrlssc.navy.mil  <- (Preferred contact)
> Flank Speed: stephen.p.berg....@us.navy.mil
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>


-- 
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to