A DNS slave here is no different. The slave does not get its
information from IPA. It gets it from a basic zone update from the
master. Configure your slave like you would configure any other DNS
slave.

Terry

Sent from my iPhone

> On Jan 28, 2014, at 7:48 AM, "Choudhury, Suhail" <suhail.choudh...@bskyb.com> 
> wrote:
>
> Hi,
>
> We are looking at adding redundancy to our IPA setup by using DNS
> servers external to our IPA servers, so in the event of IPA dying we can
> still resolve against these external DNS servers.
>
> So I'm looking at how I can add a server running BIND as a DNS slave.
>
> Normally on a DNS slave we can set something like the following in
> named.conf:
>
> =========================================
>
> // query-source address * port 53;
> allow-transfer {208.99.198.184/32;};
> };
>
> //
> // a caching only nameserver config
> //
>
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> };
>
> zone "localhost" IN {
> type master;
> file "localhost.zone";
> allow-update { none; };
> };
>
> zone "yourdomain.com" IN {
> type slave;
> file "/var/named/yourdomain.com.zone";
> // allow-update { none; };
> allow-transfer { 192.168.0.1/32; };
> masters { 192.168.0.1; };
> };
>
> zone "0.168.192.in-addr.arpa" IN {
> type slave;
> file "/var/named/0.168.192.rev";
> // allow-update { none; };
> allow-transfer { 192.168.0.1/32; };
> masters { 192.168.0.1; };
> };
>
> =========================================
>
> In the IPA server's named.conf I see DNS entries are loaded up via LDAP:
>
> =========================================
>
> include "/etc/named.rfc1912.zones";
>
> dynamic-db "ipa" {
>        library "ldap.so";
>        arg "uri ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-COM.socket";
>        arg "base cn=dns, dc=sub,dc=domain,dc=com";
>        arg "fake_mname ipa01.sub.domain.com.";
>        arg "auth_method sasl";
>        arg "sasl_mech GSSAPI";
>        arg "sasl_user DNS/ipa01.sub.domain.com";
>        arg "zone_refresh 0";
>        arg "psearch yes";
>        arg "connections 4";
>        arg "serial_autoincrement yes";
> };
>
> =========================================
>
> Has anyone successfully pulled DNS zones out of IPA to BIND slaves?
>
> --
> Regards,
> Suhail.
> DevOps(Recs), BSkyB.
>
>
> Information in this email including any attachments may be privileged, 
> confidential and is intended exclusively for the addressee. The views 
> expressed may not be official policy, but the personal views of the 
> originator. If you have received it in error, please notify the sender by 
> return e-mail and delete it from your system. You should not reproduce, 
> distribute, store, retransmit, use or disclose its contents to anyone. Please 
> note we reserve the right to monitor all e-mail communication through our 
> internal and external networks. SKY and the SKY marks are trademarks of 
> British Sky Broadcasting Group plc and Sky International AG and are used 
> under licence. British Sky Broadcasting Limited (Registration No. 2906991), 
> Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers 
> Services Limited (Registration No. 2340150) are direct or indirect 
> subsidiaries of British Sky Broadcasting Group plc (Registration No. 
> 2247735). All of the companies mentioned in this!
  p!
> aragraph are incorporated in England and Wales and share the same registered 
> office at Grant Way, Isleworth, Middlesex TW7 5QD.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to