Re: [Freeipa-users] DDNS with DHCPD and IPA

Fri, 04 Apr 2014 16:49:28 -0700 

On 04/03/2014 07:50 PM, Andy Tomlin wrote:

Awesome, adding the grant line with my key (DDNS_UPDATE) did the trick. This
makes it perform exactly like old config.

Thanks for the help. Someone should put this example in the docs.


Would you mind writing a HowTo on our wiki?



-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of William Brown
Sent: Thursday, April 3, 2014 3:29 PM
To: [email protected]
Subject: Re: [Freeipa-users] DDNS with DHCPD and IPA

On Thu, 2014-04-03 at 11:02 -0700, Andy Tomlin wrote:

That would be my preference, would then work same as bind/dhcpd before
switching to ipa. I just dont know how to do it correctly.


This assumes dhcp and named are on the same system.

For an unrelated project I wrote some docs here:

http://tollgate.readthedocs.org/en/3.0.1/fedora-deploy.html#core-network

And the example config files referenced are:

https://github.com/micolous/tollgate/tree/master/docs/example/fedora

The important parts are:

rndc-confgen -a -r keyboard -b 256
chown named:named /etc/rndc.key

In named.conf add after the options section:

include "/etc/rndc.key";

In the zone (In ipa you will need to add this permission)

grant rndc-key wildcard * ANY;

Then in dhcpd:


include                 "/etc/rndc.key";

And to the dhcpd range:


        zone dhcp.example.lan. {
                primary 127.0.0.1;
                key     "rndc-key";
        }


        zone 0.4.10.in-addr.arpa. {
                primary 127.0.0.1;
                key "rndc-key";
        }


This should coexist peacefully with freeipa, but try to make sure your DDNS
updated zone is say dhcp.example.com rather than a zone you care about.
Consider you have a domain controller called x.example.com, and you allow
DDNS to example.com. If someone set their hostname to x, they could take
over the DNS records for your DC. Better to have a second zone to prevent
this.

--
William Brown <[email protected]>

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to