On 31.12.2014 22:40, Jan Pazdziora wrote: > On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote: >> >>> endpoints, or their users, should not be trusted to >>> make updates to DNS zones. TSIG signed updates from servers are still >>> preferred over authenticated updates from endpoints or users. >> >> Server has identity just like service, just like user. You can have >> unimportant server and you can have important (admin) user. Ruling >> out authentication > > ... oops, I seem to have failed to finish this paragraph. > > Ruling out authentication of identities means that you give up on > centrally controlled access policies -- something that FreeIPA is > good at, besides just storing identities. > > In other words, instead of having increasing number of shared > secrets around your network, it might be useful to adopt the > approach when idenities can get created without many restrictions, > and what you allow those identities to do is what matters.
Generally I agree with Jan. If you insist on using TSIG, you can do that manually by editing named.conf on IPA servers: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
