Is there anyway to do a nsupdate of a DNS records in a IPA server using a
TSIG key without having a kerberos ticket?

We were going to swap out bind in favor of IPA, but we need to be able to

On Mon, May 12, 2014 at 10:11 AM, Bob <> wrote:

> We use nsupdate to to move the location of some of our services around.
> For instance there might be two servers that exchange roles, like
> and  and we will have a service name
> like The owner of the application has been given an
> nsupdate key that allows them to update and delete on the the 
> have that records contain either an "A" record for one or the other of
> the two servers.
> I am very concerned that there might come a time when the SOA primary
> master server for this dynamic domain might be down when the application
> owner needs to do their nsupdate.
> One observation that we see is that Window AD and DNS make every AD DNS
> server an SOA for any domain that it servers. That any dynamic DNS update
> can be serviced by any Domain controller and that this update is replicated
> with LDAP to the other DCs.
> It was our hope that we could use IPA for our DNS servers for this dynamic
> domain. That we would have multiple forward statements from our main DNS
> servers to the IPA DNS servers and that any IPA server would be the SOA.
> This way the nsupdate would be processed by any available IPA server in the
> event that one or more of these IPA DNS servers would be down or
> unreachable.
> Is there a way to make each IPA system a SOA for the same domain and still
> have the DNS records replicate between them?
> thanks,
> Bob Harvey
Freeipa-users mailing list

Reply via email to