On 12/12/2012 07:59 PM, Simo Sorce wrote:
On Wed, 2012-12-12 at 10:45 -0800, Patrick Bakker wrote:
I just joined this list because I was curious about the recent
discussion that Rashard Kelly had started about whether to
use FreeIPA's integrated DNS or whether to disable DNS. I'm wondering
about a very similar thing. I have a bunch of Linux servers that I'd
like to start manage more centrally but we have Active Directory
running the network right now.

I looked at the bug attachment Petr Spacek recommended
(https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but
one thing I didn't see there is a discussion of whether to use an
entirely different domain. As this is the direction I'm inclined to
I'm curious if there is some good reason not to do it.
IMHO there is no real difference between scenarios
a) "ad.comp.tld" + "ipa.comp.tld"
b) "comp1.tld" + "comp2.tld"

In both cases they are just different domains. It doesn't make any difference as long as all machines are able to resolve all names (from both domains).

Suppose I have a company ACME Widgets which is running
acmewidgets.local under Active Directory. Does it simplify anything if
I were to run all my Linux boxes under FreeIPA under an entirely
different domain such as acme.local?

It will avoid the need to do delegation but you will need to set up
conditional forwarders if you want to resolve both domain from all
If it is inevitable, I would recommend to establish top level domain "local" or "lan" and fill it with usual delegation records for "acmewidgets" and "acme". Please, avoid usage of forwarders as much as possible. Please see my next comment and try to avoid private TLDs.

Also do not use .local that domain name is used by zeroconf style stuff
and can cause issues (in a windows domain too), use something like .lan
You can save some pain by using real domain "acme.com" instead of "acme.lan". Just configure your DNS servers on enterprise boundary to return different results to clients inside and outside the boundary.

Background story:
DNS is a tree with root in domain "". By using a non-existent top level domain "lan" you cut the root. Client asking root servers for "lan" will get NXDOMAIN for every query.

You can see the problem very nicely with command:
dig +trace "some.name.under.lan"

(I don't have much experience with DNSSEC, please correct me if I'm wrong.)
I would expect problems with DNSSEC deployment ... At least you will have to handle domain signature for "lan" in special way and configure another root of trust in each DNSSEC validating resolver etc.

Since I have completely separate DNS records I shouldn't need to worry
about any DNS integration. Will this complicate a future trust between
the AD domain acmewidgets.local and the FreeIPA domain acme.local if I
want to do that at some point?
Again, I don't see any difference between scenarios
a) "ad.comp.tld" + "ipa.comp.tld"
b) "comp1.tld" + "comp2.tld"

Both domain have to be resolvable. The difference is in place where NS records or forwarders are set. That should be all.

No trusts are better with completely separate root domains, they
certainly can't work if you use the same domain.
Simo, can you elaborate this? I'm not experienced with trusts, but IMHO there should not be any difference between scenarios a) and b).

However there is at least 1 minor 'integration; step, you need
conditional forwarders in both systems so one can forward queries to the
other for its clients.

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to