On 01/12/2025 12:46, lejeczek via FreeIPA-users wrote:
And by "internal" - many will agree - we mean "Intranet", which then would mean - although I'm new to RPZ concept/idea my logic tells me - it is exactly what the whole thing is for, no? To tell our internal networks/clients to "bugger off" when it comes to chosen (usually/mostly public fqdn), selected host/domain names - that was the first thing which came to my mind. If I got the whole thing right - then I'd humbly suggest (to @devel) to consider this for IPA's future releases, that should be a really very nice "enhancement" indeed.
Generally you shouldn't use the IPA-hosted DNS servers as recursive resolvers for your internal/intranet hosts.
These hosts should be configured to use separate/dedicated recursive resolvers within your infrastructure. These recursive resolvers should be configured with delegations for each IPA-hosted DNS zone to your IPA-hosted DNS servers. And it is these recursive resolvers where you'd use Response Policy Zones.
You would then configure each IPA server to use the same recursive resolvers (by configuring forwarders on each DNS server object & setting the forward policy to 'only'). With this in place, the IPA servers never perform any recursive lookups themselves, so there's no need to use RPZ on them.
You end up with a nice separation of duties: the recursive DNS servers perform recursive DNS lookups for everything within your own networks, giving you a single place to enforce policy. Your IPA servers act as authoritative DNS servers (for your IPA-hosted DNS zones) only; they don't perform any recursive lookups themselves, instead they forward all queries to the same recursive DNS servers as everything else, and are therefore subject to the same policy as everything else.
-- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
