On 9.4.2014 00:06, Simo Sorce wrote:
On Tue, 2014-04-08 at 16:42 -0500, Justin Brown wrote:
I'm sure that I'm doing this very wrong, but I'm wondering if anyone
can offer any solutions.

I currently have a relatively small domain that's used internally.
Let's say fandingo.org. This domain covers various class C networks on
192.168.0.0/16. Currently, there's an Active Directory server that
provides internal (and forwarding) DNS for fandingo.org. I'm in the
experimentation phase with FreeIPA in this environment and don't want
to modify anything outside of FreeIPA for the time being.

FreeIPA is setup with DNS and has the fandingo.org domain controllers
setup as forwarders. I have my laptop joined to the FreeIPA domain,
but that's where the problem starts. I can correctly resolve any
*.fandingo.org resource in FreeIPA. The problem is that I want to
resolve *.fandingo.org resources that are defined in the Active
Directory DNS.

Does anyone know how I can configure FreeIPA/BIND to forward all
requests (even those for its own domain) that it can't satisfy rather
than returning NXDOMAIN?

Is FreeIPA shadowing an AD domain ?
Ie are the Ad domain and FreeIPA domain using the same domain name ?

That would be bad.
If you want to manage fadnigo.org in AD it would be a better idea to
create a ipa.fandingo.org domain for IPA. Then set forwarders *both* way
(or just delegate the domain from AD), to IPA, so all clients regardless
of what DNS server are using can resolve both *fandingo.org hosts (via
AD DNS) and *.ipa.fandingo.org hosts (via FreeIPa DNS).

Let me add that name collisions/domain shadowing cannot be handled by standard means.

The name resolution algorithm for authoritative server is standardized here:
http://tools.ietf.org/html/rfc6672#section-3.2

See the end of step 3-C:

    If the "*" label does not exist, check whether the name we
    are looking for is the original QNAME in the query or a name
    we have followed due to a CNAME or DNAME.  If the name is
    original, set an authoritative name error in the response and
    exit.

Simo's proposal is the best thing you can do and it requires minimal changes on AD side (i.e. adding 2*(number of IPA servers) of DNS records to AD).

Please see
http://www.freeipa.org/page/Deployment_Recommendations .

Have a nice day!

--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to