Thanks Petr. My use case is: we have scripts that connect to some services, let's say a docker registry. I want these scripts to be work either internally or externally, without changing the URLs. What would the best or easiest setting to achieve this ?
On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek <pspa...@redhat.com> wrote: > On 8.7.2015 15:07, Karl Forner wrote: > > On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora <jpazdzi...@redhat.com> > wrote: > > > >> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: > >>> > >>> When using my freeIPA DNS name server for my domain example.test, I > need > >> to > >>> exclude some names from the server( to be forwarded to the DNS > forwarder > >>> for instance. > >>> > >>> For example, I'd like foo.example.test not to be resolved, but > forwarded. > >>> How could I implement this ? > >> > >> That would mean you have two different nameservers authoritative for > >> the same DNS domain. That is generally not recommended setup. > >> > > > > Yes, that's what I read, but I do not know how to easily do differently. > > But in the end, what I'd like for my users, is to have foo.example.test > > resolved from the outside to my external server IP, and from the inside > to > > the internal server IP. > > Such setup is generally not recommended because it is usually pain when it > comes to long-term operation and maintenance. > > http://www.freeipa.org/page/DNS#Caveats > http://www.freeipa.org/page/Deployment_Recommendations#DNS > > > Two main use-cases are: > > a) Two or more different servers are using the same name and which server > is > used depends on client's network. > > This is usually very cumbersome because DNS caching will play against you, > especially when we introduce system-wide cache into Fedora 23. > > It is also hard to manage and debug because you have to ask the same > question > from different networks etc. And it will be harder when you deploy DNSSEC > to > increase security... > > The typical recommendation is to use a sub-domain for internal names, e.g. > i.example.com for internal names and example.com for > externally-resolvable names. > > > b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. > > Yes, it is as bad idea as it sounds. > > > >> Can't you make foo.example.test a CNAME to foo.example.org or another > >> hostname, in domain with different authoritative DNS server? > >> > > > > Hmm yes that should work, thanks ! > > Please keep in mind that it only hides the problem under yet another layer > of > indirection. > > <humor> > Yes, it is always possible! We know it because it is written in > The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 > point > (6) but you should take into account point (3) into account, too :-) > </humor> > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project