On 8.7.2015 20:46, Karl Forner wrote: > I forgot my main use case: I have name-based reverse proxies (SNI) for some > web apps/services , that are accessible both from the internal and external > network. > They must be accessed with the exact same name/url, otherwise the dispatch > can not work. > Until now I manage this by manually editing all /etc/hosts on all internal > computers, but I had hoped to benefit from the freeIPA DNS a more elegant > solution.
Standard DNS cannot provide you with this, you need to hack it yourself. Sorry! Petr Spacek @ Red Hat > On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek <pspa...@redhat.com> wrote: > >> On 8.7.2015 16:32, Karl Forner wrote: >>> Thanks Petr. >>> >>> My use case is: we have scripts that connect to some services, let's say >> a >>> docker registry. >>> I want these scripts to be work either internally or externally, without >>> changing the URLs. >>> What would the best or easiest setting to achieve this ? >> >> Personally I use config file for this. I.e. the script is the same and >> URLs, >> names, passwords, etc. are read from config file stored alongside the >> script. >> >> This allows me to test it easily without any changes in DNS or system-wide >> configuration like /etc/hosts. >> >> Yes, it requires more code, but in long-term it is way more debug-able than >> DNS tricks. >> >> Petr^2 Spacek >> >>> On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek <pspa...@redhat.com> wrote: >>> >>>> On 8.7.2015 15:07, Karl Forner wrote: >>>>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora <jpazdzi...@redhat.com> >>>> wrote: >>>>> >>>>>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: >>>>>>> >>>>>>> When using my freeIPA DNS name server for my domain example.test, I >>>> need >>>>>> to >>>>>>> exclude some names from the server( to be forwarded to the DNS >>>> forwarder >>>>>>> for instance. >>>>>>> >>>>>>> For example, I'd like foo.example.test not to be resolved, but >>>> forwarded. >>>>>>> How could I implement this ? >>>>>> >>>>>> That would mean you have two different nameservers authoritative for >>>>>> the same DNS domain. That is generally not recommended setup. >>>>>> >>>>> >>>>> Yes, that's what I read, but I do not know how to easily do >> differently. >>>>> But in the end, what I'd like for my users, is to have foo.example.test >>>>> resolved from the outside to my external server IP, and from the inside >>>> to >>>>> the internal server IP. >>>> >>>> Such setup is generally not recommended because it is usually pain when >> it >>>> comes to long-term operation and maintenance. >>>> >>>> http://www.freeipa.org/page/DNS#Caveats >>>> http://www.freeipa.org/page/Deployment_Recommendations#DNS >>>> >>>> >>>> Two main use-cases are: >>>> >>>> a) Two or more different servers are using the same name and which >> server >>>> is >>>> used depends on client's network. >>>> >>>> This is usually very cumbersome because DNS caching will play against >> you, >>>> especially when we introduce system-wide cache into Fedora 23. >>>> >>>> It is also hard to manage and debug because you have to ask the same >>>> question >>>> from different networks etc. And it will be harder when you deploy >> DNSSEC >>>> to >>>> increase security... >>>> >>>> The typical recommendation is to use a sub-domain for internal names, >> e.g. >>>> i.example.com for internal names and example.com for >>>> externally-resolvable names. >>>> >>>> >>>> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. >>>> >>>> Yes, it is as bad idea as it sounds. >>>> >>>> >>>>>> Can't you make foo.example.test a CNAME to foo.example.org or another >>>>>> hostname, in domain with different authoritative DNS server? >>>>>> >>>>> >>>>> Hmm yes that should work, thanks ! >>>> >>>> Please keep in mind that it only hides the problem under yet another >> layer >>>> of >>>> indirection. >>>> >>>> <humor> >>>> Yes, it is always possible! We know it because it is written in >>>> The Twelve Networking Truths: >> https://tools.ietf.org/html/rfc1925#page-2 >>>> point >>>> (6) but you should take into account point (3) into account, too :-) >>>> </humor> >>>> >>>> -- >>>> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
