Re: [Freeipa-users] Split Horizon DNS config

Wed, 06 May 2015 01:10:20 -0700 

On 5.5.2015 07:42, Christoph Kaminski wrote:
> Hi
> 
> can someone validate this config for bind + split horizon (only the views 
> part):
> 
> acl internal {    
>         127.0.0.1;    
>         172.16.0.0/12;     
> };    
>     
> view "internal"    
> {    
>         match-clients           { internal; };        
>         recursion yes;     
>     
>         dynamic-db "ipa" {     
>                 library "ldap.so";      
>                 arg "uri ldapi://%2fvar%2frun%2fslapd-HSO.socket";         
>   
>                 arg "base cn=dns, dc=hso";       
>                 arg "fake_mname ipa-2.mgmt.hss.int.";
>                 arg "auth_method sasl";
>                 arg "sasl_mech GSSAPI";
>                 arg "sasl_user DNS/ipa-2.mgmt.hss.int";
>                 arg "serial_autoincrement yes";
>         };
> 
>         zone "." IN {
>                 type hint;
>                 file "named.ca";
>         };
> 
>         include "/etc/named.rfc1912.zones";
>         include "/etc/named.root.key";
> 
> };
> 
> view "external"
> {
>         match-clients           { any; };
>         recursion yes;
> 
>         zone "mgmt.hss.int" {
>                 type master;
>                 file "mgmt.hss.int.db";
>         };
> 
>         zone "in-addr.arpa" {
>                 type forward;
>                 forward only; 
>                 forwarders { 172.16.8.210; };
>         };
> 
>         zone "." IN {
>                 type hint;
>                 file "named.ca";
>         };
> 
>         include "/etc/named.rfc1912.zones"; 
>         include "/etc/named.root.key";
> };
> 
> it works but its a little bit unclean hack IMHO. Bind 9.9 in rhel7.1 
> doesnt support 'in-view' thats the reason why I use a the same host but 
> the ip from internal acl her:
> 
> zone "in-addr.arpa" {
>                 type forward;
>                 forward only; 
>                 forwarders { 172.16.8.210; };
> };
> 
> is there something what can make problems?

Technically it should work but it is untested. General advice about views is
'do not use them' :-)

It is much cleaner to put internal names in a sub-domain like int.example.com.
(while example.com. is the public-facing domain) and restrict access to this
sub-domain using ACL.

In long term it will make your life much easier when it comes to DNSSEC
validation. Please see
http://www.freeipa.org/page/Deployment_Recommendations#DNS for other related
recommendations.

I hope this helps.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to