Is there anyway to do a nsupdate of a DNS records in a IPA server using a TSIG key without having a kerberos ticket?
We were going to swap out bind in favor of IPA, but we need to be able to nsupdates. On Mon, May 12, 2014 at 10:11 AM, Bob <harv...@gmail.com> wrote: > We use nsupdate to to move the location of some of our services around. > For instance there might be two servers that exchange roles, like > serv.east.abc.com and serv.west.abc.com and we will have a service name > like wiki.abc.com. The owner of the application has been given an > nsupdate key that allows them to update and delete on the the wiki.abc.comand > have that records contain either an "A" record for one or the other of > the two servers. > > I am very concerned that there might come a time when the SOA primary > master server for this dynamic domain might be down when the application > owner needs to do their nsupdate. > > One observation that we see is that Window AD and DNS make every AD DNS > server an SOA for any domain that it servers. That any dynamic DNS update > can be serviced by any Domain controller and that this update is replicated > with LDAP to the other DCs. > > It was our hope that we could use IPA for our DNS servers for this dynamic > domain. That we would have multiple forward statements from our main DNS > servers to the IPA DNS servers and that any IPA server would be the SOA. > This way the nsupdate would be processed by any available IPA server in the > event that one or more of these IPA DNS servers would be down or > unreachable. > > Is there a way to make each IPA system a SOA for the same domain and still > have the DNS records replicate between them? > > thanks, > > Bob Harvey >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users