On 3.3.2014 22:57, Brendan Kearney wrote:
On Mon, 2014-03-03 at 09:33 +0100, Petr Spacek wrote:
On 1.3.2014 23:20, Brendan Kearney wrote:
i am using bind-dyndb-ldap outside of freeipa, and want to create
_tcp.my-domain.com and _udp.my-domain.com subdomains. i have tried, but
seem to come up short and nslookup fails for the records i try to create
in the subdomains. some googling and searching in the wiki have not
provided me with much go on. below is an attempt at _tcp.my-domain.com
dn: idnsName=_tcp.my-domain.com.,cn=dns,dc=my-domain,dc=com
dnsttl: 3600
idnsallowdynupdate: FALSE
idnsallowsyncptr: FALSE
idnsname: _tcp.my-domain.com.
idnssoaexpire: 604800
idnssoaminimum: 86400
idnssoamname: server.my-domain.com.
idnssoarefresh: 10800
idnssoaretry: 900
idnssoarname: root.server.my-domain.com.
idnssoaserial: 1
idnsupdatepolicy: grant MY-DOMAIN.COM krb5-self * A;
idnszoneactive: TRUE
nsrecord: server.my-domain.com.
objectclass: top
objectclass: idnsZone
objectclass: idnsRecord
what is the correct way to create a subdomain?
First of all, do you really want to create *subdomains* for _tcp and _udp or
do you just need to create couple records like _ldap._tcp in a existing
domain? It is very unusual to create separate subdomains for _tcp and _udp.
I'm attaching small snippet which shows how to add _ldap._tcp SRV record to
existing domain ipa.example.
Please be so kind and send us information mentioned on
https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#a3.Whatweneedtoknow
We would like to know how users use bind-dyndb-ldap, which LDAP server is used
outside FreeIPA and so on.
Have a nice day!
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
What distribution you use? Fedora
Which distribution version you use? Fedora 20, with latest updates
Which architecture you use? x86_64 on a qemu VM
What plugin version you use? bind-dyndb-ldap-3.5-1.fc20.x86_64
Do you use bind-dyndb-ldap as part of FreeIPA installation? no, using
openldap-servers-2.4.39-2.fc20.x86_64
Which version of BIND you use? bind-9.9.4-11.P2.fc20.x86_64
Please provide dynamic-db section from configuration
file /etc/named.conf
dynamic-db "my-domain.com" {
library "ldap.so";
arg "uri ldap://127.0.0.1/";;
arg "base cn=dns,dc=my-domain,dc=com";
arg "auth_method simple";
arg "bind_dn cn=Manager,dc=my-domain,dc=com";
arg "password *****";
arg "psearch no";
// arg "serial_autoincrement yes";
arg "sync_ptr yes";
arg "dyn_update yes";
arg "connections 2";
arg "cache_ttl 300";
arg "verbose_checks yes";
};
Do you have some other text based or DLZ zones configured? no
Do you have some global forwarders configured in BIND configuration
file? no
Do you have some settings in global configuration object in LDAP?
dn: cn=dns,dc=my-domain,dc=com
cn: dns
idnspersistentsearch: FALSE
idnszonerefresh: 30
objectclass: top
objectclass: nsContainer
objectclass: idnsConfigObject
without a doubt i want to use subdomains (or subzones, if that the
correct term) for _tcp and _udp. kerberos, kerberos-adm,
kerberos-master, kpasswd, ldap, nfs4, wpad and ntp are the SRV records i
want to manage, and having them in the regular forward zone is not as
clean, neat and organized as i want to be. also, i may want to have
forward subdomains (sub.my-domain.com, for example, with
testhost.sub.my-domain.com as an A record).
Please see attached LDIFs.
_udp.example.com.ldif adds new zone _udp.example.com and one SRV records into
it.
example.com.ldif adds *required* delegation from parent zone example.com to
_udp.example.com.
Please do not forget that NS records have to be valid (i.e. have to point to
an existing A/AAAA records) so edit them as appropriate.
Delegation via NS records from parent zone is *required* by DNS standards,
never omit them. (It could work for a while without them but things will fail
as soon as you try to debug something, direct client to use more than 1 DNS
server etc.)
Note that you have to create a separate zone *and required delegation* for
each separate sub-tree, i.e. even for _kerberos name in example.com etc.
I have warned you :-) Have a nice day!
--
Petr^2 Spacek
version: 1
dn: idnsname=example.com,cn=dns,dc=ipa,dc=example
objectClass: extensibleObject
objectClass: idnsRecord
objectClass: top
objectClass: idnsZone
idnsName: example.com
idnsSOAexpire: 1209600
idnsSOAminimum: 3600
idnsSOAmName: ns.ipa.example.
idnsSOArefresh: 3600
idnsSOAretry: 900
idnsSOArName: hostmaster.ipa.example.
idnsSOAserial: 1393924879
idnsZoneActive: TRUE
idnsAllowDynUpdate: TRUE
idnsAllowQuery: any;
idnsAllowTransfer: none;
idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-se
lf * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
nSRecord: ns.ipa.example.
dn: idnsname=_udp,idnsname=example.com,cn=dns,dc=ipa,dc=example
objectClass: idnsrecord
objectClass: top
idnsName: _udp
nSRecord: ns.ipa.example.
version: 1
dn: idnsname=_udp.example.com,cn=dns,dc=ipa,dc=example
objectClass: extensibleObject
objectClass: idnsRecord
objectClass: top
objectClass: idnsZone
idnsName: _udp.example.com
idnsSOAexpire: 1209600
idnsSOAminimum: 3600
idnsSOAmName: ns.ipa.example.
idnsSOArefresh: 3600
idnsSOAretry: 900
idnsSOArName: hostmaster.ipa.example.
idnsSOAserial: 1393924507
idnsZoneActive: TRUE
idnsAllowDynUpdate: TRUE
idnsAllowQuery: any;
idnsAllowTransfer: none;
idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-se
lf * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
nSRecord: ns.ipa.example.
dn: idnsname=_kerberos,idnsname=_udp.example.com,cn=dns,dc=ipa,dc=example
objectClass: idnsrecord
objectClass: top
idnsName: _kerberos
sRVRecord: 0 100 88 vm.ipa.example.
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
