I have many dozens of TSIG keys declared in our current bind. There are
hundreds of records that have been granted to those keys. All of this
predates me and I do not know who has these keys. The scope of trying to
work with the owners of these keys to convert their processes to to use
kerberos would be a large effort. It was my hope to use IPA / IDM to
provide multi master DNS, with each server being a SOA. But this becomes a
lot less desirable as a solution if I have to track down our key holders.
On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal <d...@redhat.com> wrote:
> On 05/13/2014 09:59 AM, Bob wrote:
> Is there anyway to do a nsupdate of a DNS records in a IPA server using
> a TSIG key without having a kerberos ticket?
> We were going to swap out bind in favor of IPA, but we need to be able to
> If you are using IPA you can give you clients keytabs.
> It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll
> your clients using ipa-client-install.
> If you have other operating systems some exploration would be required but
> it should be doable too.
> On Mon, May 12, 2014 at 10:11 AM, Bob <harv...@gmail.com> wrote:
>> We use nsupdate to to move the location of some of our services
>> around. For instance there might be two servers that exchange roles, like
>> serv.east.abc.com and serv.west.abc.com and we will have a service name
>> like wiki.abc.com. The owner of the application has been given an
>> nsupdate key that allows them to update and delete on the the
>> wiki.abc.com and have that records contain either an "A" record for one
>> or the other of the two servers.
>> I am very concerned that there might come a time when the SOA primary
>> master server for this dynamic domain might be down when the application
>> owner needs to do their nsupdate.
>> One observation that we see is that Window AD and DNS make every AD DNS
>> server an SOA for any domain that it servers. That any dynamic DNS update
>> can be serviced by any Domain controller and that this update is replicated
>> with LDAP to the other DCs.
>> It was our hope that we could use IPA for our DNS servers for this
>> dynamic domain. That we would have multiple forward statements from our
>> main DNS servers to the IPA DNS servers and that any IPA server would be
>> the SOA. This way the nsupdate would be processed by any available IPA
>> server in the event that one or more of these IPA DNS servers would be down
>> or unreachable.
>> Is there a way to make each IPA system a SOA for the same domain and
>> still have the DNS records replicate between them?
>> Bob Harvey
> Freeipa-users mailing
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> Freeipa-users mailing list
Freeipa-users mailing list