Hello once again,

some DNS scenarios are described in


It is preliminary version of new text for IPA manual. Please report any errors and ambiguities.

Petr^2 Spacek

On 11/27/2012 08:47 AM, Petr Spacek wrote:

I will try to summarize your question, please correct me if I'm wrong.

- existing Windows domain: example.com
- installed IPA domain: example.com (I guess from named.conf)
- you want to query Windows DNS first and then try to query IPA DNS when
Windows DNS do not have specific record

Do I understand correctly?

 From DNS point of view it doesn't make sense. Only single database can be
authoritative for specific domain. In you case you have to chose if Windows or
IPA DNS should be authoritative for example.com. There is no
fallback-if-record-doesn't-exist method. All servers serving particular zone
have to have exactly same database, i.e. they have to be Windows OR IPA
replicated servers.

Another problem comes from IPA+Windows installation in the same domain. In can
theoretically work, but you will lose server auto-detection and ability to
create trust between AD and IPA. Please don't do that.

It is much better to create sub-domain for AD or IPA, e.g. ipa.example.com.
Then you will create delegation and glue records in AD DNS (NS+A records in
example.com) and it will work.

If I misunderstood your question please add following information:
- FreeIPA version
rpm -q ipa-server

- bind-dyndb-ldap version
rpm -q bind-dyndb-ldap

- export configuration object cn=dns, dc=example, dc=com from IPA LDAP

- export IPA zone objects idnsname=*, cn=dns, dc=example, dc=com from IPA LDAP
(i.e. one level under cn=dns, dc=example, dc=com)

Petr^2 Spacek

I have FreeIPA installed on RHEL 6 server.  There is an existing windows
domain and DNS; example.com.  I created a FreeIPA domain of example.com.  I
have attempted to configure the "forward first" option in both the DNS Global
Configuration and the example.com zone configuration.  I would like all
lookups to first point to the forwarder and if it is unable to resolve I want
it to look at the FreeIPA DNS.  As I understand it, the "forward first"
setting should accomplish this.  Unfortunately DNS is behaving as if the
"forward only" option is enabled as it will resolve addresses outside of the
FreeIPA example.com domain but will not resolve hosts that are only in the
FreeIPA example.com domain.  I am very new to FreeIPA and would appreciate any
help that can be provided.

Here is my named.conf:
options {
        // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
        listen-on-v6 {any;};

        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        forward first;
        forwarders {

        // Any host is permitted to issue recursive queries
        allow-recursion { any; };

        tkey-gssapi-credential "DNS/freeipa.example.com";
        tkey-domain "EXAMPLE.COM";

/* If you want to enable debugging, eg. using the 'rndc trace' command,
 * By default, SELinux policy does not allow named to modify the /var/named
 * so put the default debug log file in data/ :
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;

zone "." IN {
        type hint;
        file "named.ca";

include "/etc/named.rfc1912.zones";

dynamic-db "ipa" {
        library "ldap.so";
        arg "uri ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket";
        arg "base cn=dns, dc=example,dc=com";
        arg "fake_mname freeipa.example.com.";
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "sasl_user DNS/freeipa.example.com";
        arg "zone_refresh 30";

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to