We are looking at adding redundancy to our IPA setup by using DNS
servers external to our IPA servers, so in the event of IPA dying we can
still resolve against these external DNS servers.

So I'm looking at how I can add a server running BIND as a DNS slave.

Normally on a DNS slave we can set something like the following in


// query-source address * port 53;
allow-transfer {;};

// a caching only nameserver config

controls {
inet allow { localhost; } keys { rndckey; };

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };

zone "yourdomain.com" IN {
type slave;
file "/var/named/yourdomain.com.zone";
// allow-update { none; };
allow-transfer {; };
masters {; };

zone "0.168.192.in-addr.arpa" IN {
type slave;
file "/var/named/0.168.192.rev";
// allow-update { none; };
allow-transfer {; };
masters {; };


In the IPA server's named.conf I see DNS entries are loaded up via LDAP:


include "/etc/named.rfc1912.zones";

dynamic-db "ipa" {
        library "ldap.so";
        arg "uri ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-COM.socket";
        arg "base cn=dns, dc=sub,dc=domain,dc=com";
        arg "fake_mname ipa01.sub.domain.com.";
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "sasl_user DNS/ipa01.sub.domain.com";
        arg "zone_refresh 0";
        arg "psearch yes";
        arg "connections 4";
        arg "serial_autoincrement yes";


Has anyone successfully pulled DNS zones out of IPA to BIND slaves?

DevOps(Recs), BSkyB.

Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and 
Sky International AG and are used under licence. British Sky Broadcasting 
Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration 
No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) 
are direct or indirect subsidiaries of British Sky Broadcasting Group plc 
(Registration No. 2247735). All of the companies mentioned in this p!
 aragraph are incorporated in England and Wales and share the same registered 
office at Grant Way, Isleworth, Middlesex TW7 5QD.

Freeipa-users mailing list

Reply via email to