On 9.9.2015 07:09, Alexander Bokovoy wrote:
> On Wed, 09 Sep 2015, John Keates wrote:
>> So I was having a DNS mess the other day and decided to clean it up.
>> Before, I was running Unbound on pfSense which then had a domain
>> override to the IPA box. It would forward all queries and IPA-wise all
>> was well.  Problem was that the domain was also used for a bunch of
>> other things, like the outside world, and DHCP leases, because I want
>> to be able to FQDN my machines and VM’s.
>> At first, I thought I could somehow make a weird multi-master setup, or
>> have Unbound rewrite queries or selectively forward or ignore the
>> authoritative status of DNS servers, but that’s a rather nasty hackish
>> way to attempt to fix things, so I went for the option to have DHCPd
>> feed it’s leases and updates to BIND, and make Unbound the 2nd DNS
>> server in case of an IPA meltdown.
>> This turned out to be not-so-easy as you can’t use GSSAPI on the
>> pfSense box and the IPA interface doesn’t allow you to create keys just
>> like that. Solution? Manual edits!  Now, I’m not sure if they will be
>> preserved, but since I was using SaltStack to manage pretty much
>> everything config-wise, I just make sure it keeps my settings around.
>> Here is how to configure things:
>> BIND-side:
>> 1. Open /etc/named.conf in a root editor
>> 2. Insert a key like this:
>> key "dhcp-key" {
>>   algorithm   hmac-md5;
>>   secret    “base64_string_here=";
>> };
>> Where the string “dhcp-key” can be anything, but you should remember
>> what you put in there.  The Secret is a base64 string, if you are
>> slightly clueless about that, use: echo “yoursecrethere” | base64
>> and you will get your base64 string. Stick it in between the quotes and
>> you’re good.
>> 3. Next, log in to the IPA UI and go to the Zone you’d like to have DHCP
>> dynamically push to.
>> 4. Click settings and turn on “Dynamic update” if it’s not on already
>> 5. Add an update policy, in this format:
>> grant dhcp-key wildcard * ANY;
>> This is rather insecure as you give anything that authenticates using
>> the key called “dhcp-key” full update rights for all types on that
>> zone.  So if you want to restrict it, do so as you please. I believe it
>> at least wants A and AAAA records and probably TXT.
>> 6. Click the update button and you are all set on this end. Note: if
>> you want to have reverse lookups as well, you have to repeat step 5 for
>> the reverse zone too!
>> pfSense-side:
>> 1. In pfSense, go to the DHCP server page
>> 2. Enable "Enable registration of DHCP client names in DNS.”
>> 3. Enter the domain name of the zone you configured in IPA for dynamic 
>> updates
>> 4. Enter the required fields (IP of the IPA server, the name (which is
>> dhcp-key in this example) and the base64 string you generated
>> 5. Press save and you’re good!
>> A few extra’s:
>> - You could add IPA as an NTP server here as well
>> - You should add the IPA server as the 1st DNS server
>> - You can add pfSense as the 2nd DNS server if you like
>> Please remember that at this point no DNS-related stuff on pfSense is
>> used anymore as all clients will talk to IPA for their DNS needs from
>> now on.  If all you need is the one domain name, for example, if you
>> use a unique domain just for internal IPA use, you’re better off using
>> the domain override.
>> I hope this helps someone, and might work as a basis for more robust
>> and secure configuration, as this is something I just came up with
>> today in a test environment.
> This looks reasonable. You may want to put your key definition into something
> like
> /etc/named/my-dhcp-keys.conf and include it from there via 'include'
> statements but I think we don't upgrade named.conf after it was
> originally created.
> John, could you please add this to FreeIPA wiki?

BTW it is already documented here:

Have a nice day! :-)

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to