I have many dozens of TSIG keys declared in our current bind. There are hundreds of records that have been granted to those keys. All of this predates me and I do not know who has these keys. The scope of trying to work with the owners of these keys to convert their processes to to use kerberos would be a large effort. It was my hope to use IPA / IDM to provide multi master DNS, with each server being a SOA. But this becomes a lot less desirable as a solution if I have to track down our key holders.
On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal <[email protected]> wrote: > On 05/13/2014 09:59 AM, Bob wrote: > > Is there anyway to do a nsupdate of a DNS records in a IPA server using > a TSIG key without having a kerberos ticket? > > We were going to swap out bind in favor of IPA, but we need to be able to > nsupdates. > > > If you are using IPA you can give you clients keytabs. > It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll > your clients using ipa-client-install. > If you have other operating systems some exploration would be required but > it should be doable too. > > > On Mon, May 12, 2014 at 10:11 AM, Bob <[email protected]> wrote: > >> We use nsupdate to to move the location of some of our services >> around. For instance there might be two servers that exchange roles, like >> serv.east.abc.com and serv.west.abc.com and we will have a service name >> like wiki.abc.com. The owner of the application has been given an >> nsupdate key that allows them to update and delete on the the >> wiki.abc.com and have that records contain either an "A" record for one >> or the other of the two servers. >> >> I am very concerned that there might come a time when the SOA primary >> master server for this dynamic domain might be down when the application >> owner needs to do their nsupdate. >> >> One observation that we see is that Window AD and DNS make every AD DNS >> server an SOA for any domain that it servers. That any dynamic DNS update >> can be serviced by any Domain controller and that this update is replicated >> with LDAP to the other DCs. >> >> It was our hope that we could use IPA for our DNS servers for this >> dynamic domain. That we would have multiple forward statements from our >> main DNS servers to the IPA DNS servers and that any IPA server would be >> the SOA. This way the nsupdate would be processed by any available IPA >> server in the event that one or more of these IPA DNS servers would be down >> or unreachable. >> >> Is there a way to make each IPA system a SOA for the same domain and >> still have the DNS records replicate between them? >> >> thanks, >> >> Bob Harvey >> > > > > _______________________________________________ > Freeipa-users mailing > [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
