On 05/13/2014 09:59 AM, Bob wrote:
Is there anyway to do a nsupdate of a DNS records in a IPA server
using a TSIG key without having a kerberos ticket?
We were going to swap out bind in favor of IPA, but we need to be able
to nsupdates.
If you are using IPA you can give you clients keytabs.
It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll
your clients using ipa-client-install.
If you have other operating systems some exploration would be required
but it should be doable too.
On Mon, May 12, 2014 at 10:11 AM, Bob <harv...@gmail.com
<mailto:harv...@gmail.com>> wrote:
We use nsupdate to to move the location of some of our services
around. For instance there might be two servers that exchange
roles, like serv.east.abc.com <http://serv.east.abc.com> and
serv.west.abc.com <http://serv.west.abc.com> and we will have a
service name like wiki.abc.com <http://wiki.abc.com>. The owner of
the application has been given an nsupdate key that allows them to
update and delete on the the wiki.abc.com <http://wiki.abc.com>
and have that records contain either an "A" record for one or the
other of the two servers.
I am very concerned that there might come a time when the SOA
primary master server for this dynamic domain might be down when
the application owner needs to do their nsupdate.
One observation that we see is that Window AD and DNS make every
AD DNS server an SOA for any domain that it servers. That any
dynamic DNS update can be serviced by any Domain controller and
that this update is replicated with LDAP to the other DCs.
It was our hope that we could use IPA for our DNS servers for this
dynamic domain. That we would have multiple forward statements
from our main DNS servers to the IPA DNS servers and that any IPA
server would be the SOA. This way the nsupdate would be processed
by any available IPA server in the event that one or more of these
IPA DNS servers would be down or unreachable.
Is there a way to make each IPA system a SOA for the same domain
and still have the DNS records replicate between them?
thanks,
Bob Harvey
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users