Hi Vinícius, I am looking at exactly this at the moment. My experience so far is that:
- xCAT’s ‘makedns -e’ uses TSIG to update at least the first dns server in the master’s /etc/resolv.conf - xCAT’s TSIG key appears to be hmac-md5 + I’d like to know if I could go to hmac-sha512 instead but I think that may be hardcoded as the hashing function declaration isn’t in the omapi entry of the password table, just the secret - https://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG basically applies - add the xcat_key stanza to the /etc/named.conf files and ‘rndc reload’ on all FreeIPA replicas - for the relevant FreeIPA forward zones the update-policy ‘grant xcat_key zonesub A CNAME;’ is required in addition to whatever is already there + if you are doing that at the command line, ‘ipa dnszone-show zone.name. --all’ shows the existing policy + note that ‘ipa dnszone-mod zone.name. --update-policy …’ replaces and does not append - for the relevant FreeIPA reverse zones the update-policy ‘grant xcat_key zonesub PTR;’ is required in addition to whatever is already there - those may not be the most appropriate policy wordings but they work for me - ‘ipa dnszone-mod zone.name. --dynamic-update true’ is required for both forward and reverse zones - the ‘@’ records and Authoritative Server settings that FreeIPA creates by default may need adjusting if those defaults are not reachable by your xCAT master - you can test the talking-to-FreeIPA bit without any of the xCAT stuff using the ‘nsupdate’ command - I haven’t yet attempted to enrol my xCAT master as an IPA client so I’ve no idea if kinit’ing with appropriate privilege would make the TSIG key work unnecessary - I don’t know if xCAT can speak GSS-TSIG ‘makedns -e’ now almost works for me - it updates the all IPA dns records that I am expecting from my xCAT config and a few more I wasn’t expecting from having manually added stuff to my /etc/hosts, all without touching the existing local config. It is still returning an exit code of 1 so there’s still something to track down, but I think that is now down to inconsistencies and oddities in my xCAT config and /etc/hosts file, complicated by my particular setup not being authoritative for some domains I use. I also ship fully-populated /etc/hosts files to all our xCAT-managed nodes, so I’m hoping for a seamless changeover when redirecting the nodes to the FreeIPA DNS instances instead of the one on the xCAT master. I hope that helps and I’d appreciate hearing about anything you learn along the way! Jon -- Dr. Jonathan Diprose <[email protected]<mailto:[email protected]>> Tel: 01865 287837 Research Computing Manager Henry Wellcome Building for Genomic Medicine Roosevelt Drive, Headington, Oxford OX3 7BN From: Vinícius Ferrão via xCAT-user [mailto:[email protected]] Sent: 11 September 2019 15:32 To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [xcat-user] Removing BIND from xCAT Hello, I’ve came across this documentation page: https://xcat-docs.readthedocs.io/en/stable/advanced/domain_name_resolution/domain_name_resolution.html#option-2-use-a-dns-that-is-outside-of-the-cluster And it says specifically that I can use an external DNS server. So the point is, with this option xCAT does not even use the shipped BIND? Can it coexist with another BIND daemon on the same machine? I’m interested in installing FreeIPA and enabling DNS integrated Zones, so FreeIPA handles the DNS service. Thanks,
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
