I forgot my main use case: I have name-based reverse proxies (SNI) for some web apps/services , that are accessible both from the internal and external network. They must be accessed with the exact same name/url, otherwise the dispatch can not work. Until now I manage this by manually editing all /etc/hosts on all internal computers, but I had hoped to benefit from the freeIPA DNS a more elegant solution.
On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek <pspa...@redhat.com> wrote: > On 8.7.2015 16:32, Karl Forner wrote: > > Thanks Petr. > > > > My use case is: we have scripts that connect to some services, let's say > a > > docker registry. > > I want these scripts to be work either internally or externally, without > > changing the URLs. > > What would the best or easiest setting to achieve this ? > > Personally I use config file for this. I.e. the script is the same and > URLs, > names, passwords, etc. are read from config file stored alongside the > script. > > This allows me to test it easily without any changes in DNS or system-wide > configuration like /etc/hosts. > > Yes, it requires more code, but in long-term it is way more debug-able than > DNS tricks. > > Petr^2 Spacek > > > On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek <pspa...@redhat.com> wrote: > > > >> On 8.7.2015 15:07, Karl Forner wrote: > >>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora <jpazdzi...@redhat.com> > >> wrote: > >>> > >>>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: > >>>>> > >>>>> When using my freeIPA DNS name server for my domain example.test, I > >> need > >>>> to > >>>>> exclude some names from the server( to be forwarded to the DNS > >> forwarder > >>>>> for instance. > >>>>> > >>>>> For example, I'd like foo.example.test not to be resolved, but > >> forwarded. > >>>>> How could I implement this ? > >>>> > >>>> That would mean you have two different nameservers authoritative for > >>>> the same DNS domain. That is generally not recommended setup. > >>>> > >>> > >>> Yes, that's what I read, but I do not know how to easily do > differently. > >>> But in the end, what I'd like for my users, is to have foo.example.test > >>> resolved from the outside to my external server IP, and from the inside > >> to > >>> the internal server IP. > >> > >> Such setup is generally not recommended because it is usually pain when > it > >> comes to long-term operation and maintenance. > >> > >> http://www.freeipa.org/page/DNS#Caveats > >> http://www.freeipa.org/page/Deployment_Recommendations#DNS > >> > >> > >> Two main use-cases are: > >> > >> a) Two or more different servers are using the same name and which > server > >> is > >> used depends on client's network. > >> > >> This is usually very cumbersome because DNS caching will play against > you, > >> especially when we introduce system-wide cache into Fedora 23. > >> > >> It is also hard to manage and debug because you have to ask the same > >> question > >> from different networks etc. And it will be harder when you deploy > DNSSEC > >> to > >> increase security... > >> > >> The typical recommendation is to use a sub-domain for internal names, > e.g. > >> i.example.com for internal names and example.com for > >> externally-resolvable names. > >> > >> > >> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. > >> > >> Yes, it is as bad idea as it sounds. > >> > >> > >>>> Can't you make foo.example.test a CNAME to foo.example.org or another > >>>> hostname, in domain with different authoritative DNS server? > >>>> > >>> > >>> Hmm yes that should work, thanks ! > >> > >> Please keep in mind that it only hides the problem under yet another > layer > >> of > >> indirection. > >> > >> <humor> > >> Yes, it is always possible! We know it because it is written in > >> The Twelve Networking Truths: > https://tools.ietf.org/html/rfc1925#page-2 > >> point > >> (6) but you should take into account point (3) into account, too :-) > >> </humor> > >> > >> -- > >> Petr^2 Spacek >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project