Greetings all, I'm running the following FreeIPA: Installed Packages freeipa-client.x86_64 4.9.10-4.fc36 @updates freeipa-client-common.noarch 4.9.10-4.fc36 @updates
freeipa-common.noarch 4.9.10-4.fc36 @updates freeipa-healthcheck.noarch 0.11-2.fc36 @updates freeipa-healthcheck-core.noarch 0.11-2.fc36 @updates freeipa-selinux.noarch 4.9.10-4.fc36 @updates freeipa-server.x86_64 4.9.10-4.fc36 @updates freeipa-server-common.noarch 4.9.10-4.fc36 @updates freeipa-server-dns.noarch 4.9.10-4.fc36 @updates libipa_hbac.x86_64 2.7.4-1.fc36 @updates python3-ipaclient.noarch 4.9.10-4.fc36 @updates python3-ipalib.noarch 4.9.10-4.fc36 @updates python3-ipaserver.noarch 4.9.10-4.fc36 @updates python3-libipa_hbac.x86_64 2.7.4-1.fc36 @updates sssd-ipa.x86_64 2.7.4-1.fc36 @updates My other internal DNS server is 9.16.33-1.fc36 running on the same OS revision. Both my FreeIPA subdomain and the subdomain served by the other Bind 9 instance are serving subdomains of my issued domain name but are hidden. My public DNS (also Bind9, but on Debian) is in my DMZ and accessible via local LAN links to the all FreeIPA clients. My publicly accessible hosts are not FreeIPA clients and don't lookup internal PTR records or need any integration with FreeIPA. If something really requires the DS records for the subdomains to be available, I could create a view on the public server that serves that data, including the subdomain authority delegation. I'd rather not take this step unless it's really a necessity. I don't have any FreeIPA secondary servers at present since I can't see a point in having 2 copies of the same server running as VMs on the same host machine. As I lack another machine with sufficient power to run FreeIPA server, I just backup regularly. Therefore, the packages that manage a fleet of servers are unnecessary overhead, since I have just 1. ipa dnszone-show returns the following as the first line of output, followed by the other settings looking as expected: ipa: WARNING: No DNSSEC key master is installed. DNSSEC zone signing will not work until the DNSSEC key master is installed. I have created ZSK and KSK keys for the ipa subdomain. I'm wondering if there's an easier way to import them than manually creating the DNSKEY 256 and 257 records. I've searched, fruitlessly, for the information in the doc and can only find passing references to DNSSEC, with no key import instructions. rndc dnssec -status <myipa>.domain.com reports Zone does not have dnssec-policy Do I change that in named config files or is there a prefered way to set it via freeipa? After I sent my first attempt at this message, I stumbled upon the fact that Bind had updated to support a fully automatic key management. At my last digging, it still required the admin to generate and install keys manually. All my other servers are properly using the default dnssec-policy and inline-signing is yes. At some point I'll remember that I can't send mailing list emails from Thunderbird without ProtonMail signing it. Thanks in advance, Eric Sent with Proton Mail secure email.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue