I will try to summarize your question, please correct me if I'm wrong.

- existing Windows domain: example.com
- installed IPA domain: example.com (I guess from named.conf)
- you want to query Windows DNS first and then try to query IPA DNS when Windows DNS do not have specific record

Do I understand correctly?

From DNS point of view it doesn't make sense. Only single database can be authoritative for specific domain. In you case you have to chose if Windows or IPA DNS should be authoritative for example.com. There is no fallback-if-record-doesn't-exist method. All servers serving particular zone have to have exactly same database, i.e. they have to be Windows OR IPA replicated servers.

Another problem comes from IPA+Windows installation in the same domain. In can theoretically work, but you will lose server auto-detection and ability to create trust between AD and IPA. Please don't do that.

It is much better to create sub-domain for AD or IPA, e.g. ipa.example.com. Then you will create delegation and glue records in AD DNS (NS+A records in example.com) and it will work.

If I misunderstood your question please add following information:
- FreeIPA version
rpm -q ipa-server

- bind-dyndb-ldap version
rpm -q bind-dyndb-ldap

- export configuration object cn=dns, dc=example, dc=com from IPA LDAP

- export IPA zone objects idnsname=*, cn=dns, dc=example, dc=com from IPA LDAP
(i.e. one level under cn=dns, dc=example, dc=com)

Petr^2 Spacek

I have FreeIPA installed on RHEL 6 server.  There is an existing windows
domain and DNS; example.com. I created a FreeIPA domain of example.com. I have attempted to configure the "forward first" option in both the DNS Global Configuration and the example.com zone configuration. I would like all lookups to first point to the forwarder and if it is unable to resolve I want it to look at the FreeIPA DNS. As I understand it, the "forward first" setting should accomplish this. Unfortunately DNS is behaving as if the "forward only" option is enabled as it will resolve addresses outside of the FreeIPA example.com domain but will not resolve hosts that are only in the FreeIPA example.com domain. I am very new to FreeIPA and would appreciate any help that can be provided.

Here is my named.conf:
options {
        // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
        listen-on-v6 {any;};

        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        forward first;
        forwarders {

        // Any host is permitted to issue recursive queries
        allow-recursion { any; };

        tkey-gssapi-credential "DNS/freeipa.example.com";
        tkey-domain "EXAMPLE.COM";

/* If you want to enable debugging, eg. using the 'rndc trace' command,
 * By default, SELinux policy does not allow named to modify the /var/named
 * so put the default debug log file in data/ :
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;

zone "." IN {
        type hint;
        file "named.ca";

include "/etc/named.rfc1912.zones";

dynamic-db "ipa" {
        library "ldap.so";
        arg "uri ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket";
        arg "base cn=dns, dc=example,dc=com";
        arg "fake_mname freeipa.example.com.";
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "sasl_user DNS/freeipa.example.com";
        arg "zone_refresh 30";

Freeipa-users mailing list

Reply via email to