Re: [Freeipa-users] DNS SOA Records

Tue, 13 May 2014 07:08:38 -0700 

On 05/13/2014 09:59 AM, Bob wrote:
Is there anyway to do a nsupdate of a DNS records in a IPA server using a TSIG key without having a kerberos ticket? 


We were going to swap out bind in favor of IPA, but we need to be able 
to nsupdates.




If you are using IPA you can give you clients keytabs.

It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll 
your clients using ipa-client-install.
If you have other operating systems some exploration would be required 
but it should be doable too.





On Mon, May 12, 2014 at 10:11 AM, Bob <harv...@gmail.com 
<mailto:harv...@gmail.com>> wrote:


    We use nsupdate to to move the location of some of our services
    around. For instance there might be two servers that exchange
    roles, like serv.east.abc.com <http://serv.east.abc.com> and
    serv.west.abc.com <http://serv.west.abc.com>  and we will have a
    service name like wiki.abc.com <http://wiki.abc.com>. The owner of
    the application has been given an nsupdate key that allows them to
    update and delete on the the wiki.abc.com <http://wiki.abc.com>
    and have that records contain either an "A" record for one or the
    other of the two servers.

    I am very concerned that there might come a time when the SOA
    primary master server for this dynamic domain might be down when
    the application owner needs to do their nsupdate.

    One observation that we see is that Window AD and DNS make every
    AD DNS server an SOA for any domain that it servers. That any
    dynamic DNS update can be serviced by any Domain controller and
    that this update is replicated with LDAP to the other DCs.

    It was our hope that we could use IPA for our DNS servers for this
    dynamic domain. That we would have multiple forward statements
    from our main DNS servers to the IPA DNS servers and that any IPA
    server would be the SOA. This way the nsupdate would be processed
    by any available IPA server in the event that one or more of these
    IPA DNS servers would be down or unreachable.

    Is there a way to make each IPA system a SOA for the same domain
    and still have the DNS records replicate between them?

    thanks,

    Bob Harvey




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





















					Reply via email to