Re: [Freeipa-users] External DNS and replication

Thu, 09 Mar 2017 00:10:39 -0800 

From: Martin Basti [mailto:mba...@redhat.com]
Sent: Mittwoch, 08. März 2017 14:54
To: Wimmer Ronald (BCC.B.SO) <ronald.wim...@oebb.at>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] External DNS and replication




On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote:
Hi,

I am using FreeIPA with external DNS. Is it ok to balance the requests between 
master and replica with DNS SRV records like this:

_kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
_kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
_ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net.
_ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net.

_kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
_kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
_ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net.
_ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net.

_kerberos.example.net. 86400 IN TXT "example.net"
Looks good to me


ipa-ca.example.net. 86400 IN A 10.66.39.130

What about the "ipa-ca" entry?

ipa-ca should contain all A/AAAA records of CA replicas

IPA4.4+ support command `ipa dns-update-system-records --dry-run` to get all 
required records


Regards,
Ronald



Martin

Thank's a lot. In https://access.redhat.com/solutions/98043 RedHat suggest to 
use same weight and same priority for the SRV records. Does that make sense?

I also noticed that I have no ndp record. Are IPA clients relying on that 
entry? Do I have to create these manually?

_ntp._udp.example.net.  86400   IN      SRV     10 50 123 
ipaserver1.example.net.
_ntp._udp.example.net.  86400   IN      SRV     10 50 123 
ipaserver2.example.net.

Ronald

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to