Hi Angus, Just be aware that maintaining parrellel records is an overhead in the longer term as it's a manual process of keeping things in sync.
Delegation is a simpler more natural solution in general. Your pubic DNS servers can delegate to an internal DNS domain and then you'll only have the internal addresses of your DNS servers in the public domain. For example angusclark.com has public nameservers a.b.c.d and a.b.c.e which delegates int.angusclark.com to internal freeipa nameservers ipa1.int.angusclark.com 10.10.10.10 and ipa2.int.angusclark.com 10.10.10.11 using glue records on the public servers. The you just follow the bouncing ball for setting up freeipa with integrated DNS. Outbound Name resolution would use the freeipa servers which would forward to a convenient resolver or you do resolution via the root nameservers which is probably a more secure solution. -----Original Message----- From: Angus Clarke via FreeIPA-users < [email protected]> Reply-To: FreeIPA users list <[email protected]> To: Rafael Jeffman <[email protected]>, Peter Larsen < [email protected]> Cc: Dave Mintz <[email protected]>, FreeIPA users list < [email protected]>, Angus Clarke < [email protected]> Subject: [Freeipa-users] Re: DNS and FreeIPA Date: Mon, 27 Dec 2021 23:26:31 +0000 Thanks for your replies, I think I need to focus on internal resolver configuration and less on public subdomain delegation. Cheers Angus From: Rafael Jeffman <[email protected]> Sent: Monday, 27 December 2021, 11:11 pm To: Peter Larsen Cc: Angus Clarke; FreeIPA users list; Dave Mintz Subject: Re: [Freeipa-users] Re: DNS and FreeIPA Hello Angus, Besides what Peter has written, let's get this warning from FreeIPA site [1]: > **Avoid name collisions** > We strongly recommend that you do not use a domain name that is not > delegated to you, even on a private network. For example, you should > not use domain name company.int if you don't have valid delegation for > it in public DNS tree. As you can see, it is similar to what was on the Red Hat documentation you mentioned before. This first part of the warning says that you should not configure your domain name with some "random" name if you don't own the domain. For example, you should not use "cisco.com", "google.com" or "redhat.com", even if your network is a private one. Note that, if it is a private network, you "could" do it, but you shouldn't do it. Why? The answer is on the warning itself: > If this rule is not respected, the domain name will be resolved differently > depending on the network configuration. As a result, network resources > will become unavailable. > Using domain names that are not delegated to > you also makes DNSSEC more difficult to deploy and maintain. For > further information about this issue please see the ICANN FAQ on > domain name collisions. Imagine you try to access google search and your private network uses 'google.com' as the domain. You would probably be redirected to an internal server, instead of Google's search engine. (I'll not even get into DNSSEC issues.) So, you find everywhere about "a domain that is delegated to you", well, that domain is any domain you have registered (e.g.: angusclark.com). Even as your domain have nameserver which is probably not under your control (and controlled by whom you registered your domain), you have control over your domain, and as such, you can create subdomains on your private network that will not collide with any other domain (say, ipa.angusclark.com). If you manage this domain from your internal FreeIPA servers, there will be no name collision. I have a (few) registered domain(s), which I use both as a public facing server (static, github pages), and within my private network, which no one from outside can see, I have a subdomain (ipa) which I use for managing my users and hosts. Regards, Rafael [1]: https://www.freeipa.org/page/Deployment_Recommendations On Mon, Dec 27, 2021 at 6:08 PM Peter Larsen <[email protected]> wrote: > On 12/27/21 15:27, Angus Clarke wrote: > > > > > Ok let's try this: > > > > > > I've just registered > angusclarke.com with a public DNS provider and am > > > ready to deploy FreeIPA for my corporate network which uses a > private > > > IP space. How do I do this? > > > > This is where things get odd for me. Why are you registering a TLD > for a > > private DNS server? That makes no sense. Public domain servers > require > > public access by definition. Otherwise they don't work. > > > > > According to this > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/ch-configure_host_names#sec-Recommended_Naming_Practices > > > > > > then I should have a domain delegated to me, but I am not a public > DNS > > > provider, > > > > Which means you shouldn't register a domain. Just add the domain to > > freeIPA and have your clients use your FreeIPA dns server(s). Done. > All > > free! > > > > > I'm just Angus Clarke ... Nor do I want my private IP space > available > > > to be looked up in a public DNS record > > > > You don't. You cannot blow and have flour in your mouth at the same > > time. When you register a domain you MUST provide public NS servers > > which are authoritative for that domain which anyone querying your > > domain will be forwarded to. By definition they HAVE to be public. > You > > can absolutely expose your FreeIPA name servers to the public, but > it's > > a whole other issue if you want to, as the configuration and > security > > gets a bit convoluted - but it can be done. > > > > > ... And I'd rather have my private IP records handled by my > internal > > > DNS system - all of this is standard practise for companies and > > > individuals however I dont think this topic is suitably addressed > in > > > the redhat documentation - I see a disconnect in the > recommendation > > > pasted above vs the installation documentation for FreeIPA. > > > > For internal ONLY domains there is absolutely NO NEED to register a > > domain with a public DNS service. You can even pretend to be > "cisco.com" > > > or other addresses and your clients will happily use your DNS server > > (well, if DNSSEC is on it may not be that simple) instead of > Cisco's. > > Public domains are for public access only. Your own network is your > own > > domain (sic) and you can do what you want, without having to > register > > anything. > > > > > > Maybe I've missed it, maybe I can promote the topic here and it can > be > > > championed in the right direction, maybe I can even help on the > topic > > > myself. > > > > You're making it a lot harder. Just install FreeIPA, configure DNS > and > > add your domain. Set your DHCP server to use your FreeIPA server's > IP > > the DNS server address for the clients, renew the DHCP leases and > voila, > > they're using that domain you just defined, internally only resolving > to > > internal addresses etc. > > > > -- > > Regards > > Peter Larsen > > > > _______________________________________________FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
