There are advantages to using Route53 for DNS if you are running in Amazon so I can see the point -- automatic DNS record updates based on the results of health checks or load-balancer swap-outs are huge for maintaining uptime while changes happen under the hood. The R53 support for weighted record sets is awesome as well for doing A/B testing on new services. They can also change up their responses based on the geographic IP of the requestor which is interesting for building global apps serviced by localized infrastructure,


For what it's worth we run IPA in a couple of global AWS regions without doing a lot of DNS -- we delegate DNS back to our core AD domain controllers.

However we are operating in the nonstandard split domain mode:

 - company-IPA.com (is our kerberos realm and IPA infrastructure)
 - company-AWS.com (is the domain name all our managed clients use)
- company.com, nafta.company.com, apac.company.com etc. etc. are the real AD child domains we access via the trust relationship for managing users. IPA is the only thing that lets Linux traverse the transitive trust forrest we have to access.

All DNS for company-AWS.com is delegated back to our AD controllers. We could swap route53 in if needed.

DNS for company-IPA.com got a bit strange -- we set up a public Route53 zone for external queries but internal to the VPC and company DNS for the company-IPA.com domain gets delegated back to the IP addresses of our IPA servers so that they can answer questions about themselves.

Pretty sure you can make IPA happy even if all your DNS is in route53 - a quick look at the supported record types seems to indicate that they support the various SRV, AAA, PTR and TXT records that IPA likes to use and query: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html

Chris


Andrew Meyer via FreeIPA-users <mailto:freeipa-users@lists.fedorahosted.org>
December 28, 2017 at 11:05 AM
My company is looking to migrate a lot of our stuff to amazon and shut down what we have in the data-centers. However there was no plan to migrate the ldap system we have. I have since suggested that we look into FreeIPA. This is well liked but my boss wants to use Route53 for split horizon DNS. What I am wanting to know is 1) how well does FreeIPA handle Split Horizon DNS? 2) if we decided to not use DNS w/ FreeIPA and put the records in Amazon, will that suffice? I have read other threads where it has been recommended to NOT forgo DNS setup w/ FreeIPA.

Thoughts, comments, suggestions?

Thank you!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to