There are advantages to using Route53 for DNS if you are running in
Amazon so I can see the point -- automatic DNS record updates based on
the results of health checks or load-balancer swap-outs are huge for
maintaining uptime while changes happen under the hood. The R53 support
for weighted record sets is awesome as well for doing A/B testing on new
services. They can also change up their responses based on the
geographic IP of the requestor which is interesting for building global
apps serviced by localized infrastructure,
For what it's worth we run IPA in a couple of global AWS regions without
doing a lot of DNS -- we delegate DNS back to our core AD domain
controllers.
However we are operating in the nonstandard split domain mode:
- company-IPA.com (is our kerberos realm and IPA infrastructure)
- company-AWS.com (is the domain name all our managed clients use)
- company.com, nafta.company.com, apac.company.com etc. etc. are the
real AD child domains we access via the trust relationship for managing
users. IPA is the only thing that lets Linux traverse the transitive
trust forrest we have to access.
All DNS for company-AWS.com is delegated back to our AD controllers. We
could swap route53 in if needed.
DNS for company-IPA.com got a bit strange -- we set up a public Route53
zone for external queries but internal to the VPC and company DNS for
the company-IPA.com domain gets delegated back to the IP addresses of
our IPA servers so that they can answer questions about themselves.
Pretty sure you can make IPA happy even if all your DNS is in route53 -
a quick look at the supported record types seems to indicate that they
support the various SRV, AAA, PTR and TXT records that IPA likes to use
and query:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html
Chris
Andrew Meyer via FreeIPA-users
<mailto:freeipa-users@lists.fedorahosted.org>
December 28, 2017 at 11:05 AM
My company is looking to migrate a lot of our stuff to amazon and shut
down what we have in the data-centers. However there was no plan to
migrate the ldap system we have. I have since suggested that we look
into FreeIPA. This is well liked but my boss wants to use Route53 for
split horizon DNS. What I am wanting to know is 1) how well does
FreeIPA handle Split Horizon DNS? 2) if we decided to not use DNS w/
FreeIPA and put the records in Amazon, will that suffice? I have read
other threads where it has been recommended to NOT forgo DNS setup w/
FreeIPA.
Thoughts, comments, suggestions?
Thank you!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org