Yes, but you need to allow zone transfers to your non-IPA servers:

$ ipa dnszone-mod --allow-transfer=""

(where is the IP of your new slave and is the zone name you 
want to transfer)


[] On Behalf Of Christopher Young
Sent: Monday, April 06, 2015 7:02 PM
To: Rob Crittenden
Subject: Re: [Freeipa-users] Slave DNS on FreeIPA replica

I clearly missed that.  Thanks for the clarification.  As far as adding 
additional DNS servers merely to slave the zones, is that more or less the same 
as configuring any other bind slave?

On Mon, Apr 6, 2015 at 3:15 PM, Rob Crittenden 
<<>> wrote:
Christopher Young wrote:
> I have - what I believe to be - a couple of basic questions (I apologize
> in advance if these are answered elsewhere, though I've tried to do some
> searching ahead of time.):
> I recently added an IPA replica to an existing IPA server and noticed
> that everything appeared to succeed in the setup.  One observation is
> that DNS (bind) was not set up on this new host.  I was wondering if
> this is normal behavior, and if so, is there a set of instructions
> needed to add/create additional DNS servers for use with FreeIPA?
> Ideally, I would like to have DNS running on all IPA hosts.
> Additionally, I plan on adding a pair of caching/slave DNS servers
> running standing BIND on remote networks and was wondering what the
> procedure would be to slave those zones onto those.  Would that be the
> same as allowing the transfer from those IPs and treating them just like
> any other BIND slave for the appropriate zones?
> I appreciate the clarifications and all the effort that goes into this!
DNS and a CA are optional components in a replica. You can add them
using ipa-dns-install and ipa-ca-install respectively.

To install bind during the replica install process add the option


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to