On 3.3.2014 22:57, Brendan Kearney wrote:
On Mon, 2014-03-03 at 09:33 +0100, Petr Spacek wrote:
On 1.3.2014 23:20, Brendan Kearney wrote:
i am using bind-dyndb-ldap outside of freeipa, and want to create
_tcp.my-domain.com and _udp.my-domain.com subdomains.  i have tried, but
seem to come up short and nslookup fails for the records i try to create
in the subdomains.  some googling and searching in the wiki have not
provided me with much go on.  below is an attempt at _tcp.my-domain.com

dn: idnsName=_tcp.my-domain.com.,cn=dns,dc=my-domain,dc=com
dnsttl: 3600
idnsallowdynupdate: FALSE
idnsallowsyncptr: FALSE
idnsname: _tcp.my-domain.com.
idnssoaexpire: 604800
idnssoaminimum: 86400
idnssoamname: server.my-domain.com.
idnssoarefresh: 10800
idnssoaretry: 900
idnssoarname: root.server.my-domain.com.
idnssoaserial: 1
idnsupdatepolicy: grant MY-DOMAIN.COM krb5-self * A;
idnszoneactive: TRUE
nsrecord: server.my-domain.com.
objectclass: top
objectclass: idnsZone
objectclass: idnsRecord

what is the correct way to create a subdomain?

First of all, do you really want to create *subdomains* for _tcp and _udp or
do you just need to create couple records like _ldap._tcp in a existing
domain? It is very unusual to create separate subdomains for _tcp and _udp.

I'm attaching small snippet which shows how to add _ldap._tcp SRV record to
existing domain ipa.example.

Please be so kind and send us information mentioned on
https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#a3.Whatweneedtoknow

We would like to know how users use bind-dyndb-ldap, which LDAP server is used
outside FreeIPA and so on.

Have a nice day!

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

What distribution you use? Fedora
Which distribution version you use? Fedora 20, with latest updates
Which architecture you use? x86_64 on a qemu VM

What plugin version you use? bind-dyndb-ldap-3.5-1.fc20.x86_64
Do you use bind-dyndb-ldap as part of ​FreeIPA installation? no, using
openldap-servers-2.4.39-2.fc20.x86_64
Which version of ​BIND you use? bind-9.9.4-11.P2.fc20.x86_64

Please provide dynamic-db section from configuration
file /etc/named.conf
dynamic-db "my-domain.com" {
                library "ldap.so";
         arg "uri ldap://127.0.0.1/";;
                arg "base cn=dns,dc=my-domain,dc=com";
         arg "auth_method simple";
        arg "bind_dn cn=Manager,dc=my-domain,dc=com";
        arg "password *****";
        arg "psearch no";
        // arg "serial_autoincrement yes";
        arg "sync_ptr yes";
        arg "dyn_update yes";
        arg "connections 2";
         arg "cache_ttl 300";
        arg "verbose_checks yes";
};

Do you have some other text based or ​DLZ zones configured? no
Do you have some global forwarders configured in BIND configuration
file? no

Do you have some settings in global configuration object in LDAP?
dn: cn=dns,dc=my-domain,dc=com
cn: dns
idnspersistentsearch: FALSE
idnszonerefresh: 30
objectclass: top
objectclass: nsContainer
objectclass: idnsConfigObject

without a doubt i want to use subdomains (or subzones, if that the
correct term) for _tcp and _udp.  kerberos, kerberos-adm,
kerberos-master, kpasswd, ldap, nfs4, wpad and ntp are the SRV records i
want to manage, and having them in the regular forward zone  is not as
clean, neat and organized as i want to be.  also, i may want to have
forward subdomains (sub.my-domain.com, for example, with
testhost.sub.my-domain.com as an A record).

Please see attached LDIFs.

_udp.example.com.ldif adds new zone _udp.example.com and one SRV records into 
it.

example.com.ldif adds *required* delegation from parent zone example.com to _udp.example.com.

Please do not forget that NS records have to be valid (i.e. have to point to an existing A/AAAA records) so edit them as appropriate.

Delegation via NS records from parent zone is *required* by DNS standards, never omit them. (It could work for a while without them but things will fail as soon as you try to debug something, direct client to use more than 1 DNS server etc.)

Note that you have to create a separate zone *and required delegation* for each separate sub-tree, i.e. even for _kerberos name in example.com etc.

I have warned you :-) Have a nice day!

--
Petr^2 Spacek
version: 1

dn: idnsname=example.com,cn=dns,dc=ipa,dc=example
objectClass: extensibleObject
objectClass: idnsRecord
objectClass: top
objectClass: idnsZone
idnsName: example.com
idnsSOAexpire: 1209600
idnsSOAminimum: 3600
idnsSOAmName: ns.ipa.example.
idnsSOArefresh: 3600
idnsSOAretry: 900
idnsSOArName: hostmaster.ipa.example.
idnsSOAserial: 1393924879
idnsZoneActive: TRUE
idnsAllowDynUpdate: TRUE
idnsAllowQuery: any;
idnsAllowTransfer: none;
idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-se
 lf * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
nSRecord: ns.ipa.example.

dn: idnsname=_udp,idnsname=example.com,cn=dns,dc=ipa,dc=example
objectClass: idnsrecord
objectClass: top
idnsName: _udp
nSRecord: ns.ipa.example.

version: 1

dn: idnsname=_udp.example.com,cn=dns,dc=ipa,dc=example
objectClass: extensibleObject
objectClass: idnsRecord
objectClass: top
objectClass: idnsZone
idnsName: _udp.example.com
idnsSOAexpire: 1209600
idnsSOAminimum: 3600
idnsSOAmName: ns.ipa.example.
idnsSOArefresh: 3600
idnsSOAretry: 900
idnsSOArName: hostmaster.ipa.example.
idnsSOAserial: 1393924507
idnsZoneActive: TRUE
idnsAllowDynUpdate: TRUE
idnsAllowQuery: any;
idnsAllowTransfer: none;
idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-se
 lf * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
nSRecord: ns.ipa.example.

dn: idnsname=_kerberos,idnsname=_udp.example.com,cn=dns,dc=ipa,dc=example
objectClass: idnsrecord
objectClass: top
idnsName: _kerberos
sRVRecord: 0 100 88 vm.ipa.example.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to