This starts as a free-ipa subject but ends in a pdns question, with some in-addr.arpa delegation mysteries.
I am setting up free-ipa with an *external* dns server, ns1.example.com. (ref: Red_Hat_Enterprise_Linux-7- Linux_Domain_Identity_Authentication_and_Policy_Guide-en-US.pdf; Section 2.3.4 Installing a Server Without Integrated DNS) I installed all records using poweradmin. RHEL7 documentation indicates to: a) create a subdomain on the external dns server for the host on which free-ipa is installed. To this end I assumed that the records required are: in master zone: example.com ipa.example.com NS ns7.ipa.example.com ns7.ipa.example.com A 192.168.1.15 #glue in native zone: 1.168.192.in-addr.arpa: 15.1.168.192.in-addr.arpa PTR ns7.ipa.example.com **And not required is the delegation any in-addr.arpa zones, because I am not delegating the management of dns to the ipa host (noted above).** b_1) on host ns7.ipa.example.com on which free-ipa is installed, be able to dig the fqdn of the host and receive its ip address. b_2) on host ns7.ipa.example.com on which free-ipa is installed, be able to dig the ip address of ns7.ipa.example.com, and receive the fqdn of host ns7.ipa.example.com. With the records installed as in a) above, I can do b_1) and b_2). c) So I proceeded with the free-ipa install. It worked smoothly. d) Then I added all the SRV records that free-ipa provides from the install. These I entered into the master zone: example.com. >> free-ipa appears to work! But it's just a start; no clients yet. My questions: 1. Is my placement of records in the master zones of example.com correct? ..... 2. instead of creating a new master subdomain zone of ipa.example.com; but would that be correct, or just for convenience? 3. Forward and reverse dig works on ns7.ipa.example.com so the free-ipa installer was happy. But am I missing something regarding the delegation? 4. My references are RHE7 ref above, DNS and BIND Cookbook, Zytrax dns for rocket scientists, and Adamw's 'happyassassin' blog of 2013: "Where's my FreeIPA badge?". With the exception of Adamw, all references and other blogs get mired deeply in delegation of in-addr.arpa zones, CNAMES, etc. I don't think I care because I am retaining dns management in example.com. I am not delegating ip ranges for management by free-ipa. Is my assessment true? 5. I guess I am suspicious that free-ipa installed so easily; I don't want to get way downstream and then find out that dns was a mess to begin with. Cheers, Stan _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
