Thanks for sticking with me on this. > In your FreeIPA server, /etc/resolv.conf must point to a *recursive* > server.
I have this set up with pdns-recusor. Pdns-recursor then forwards to the pdns auth server. With this setup I can dig forward and reverse and get the prescribed results for freeipa, but it's probably an illusion. It's a fair comment to take it one step at a time, and I thought I had made it past some :). So if possible can you suggest the pieces of info I can supply to confirm my progress. Just for fun: On the path I am now (which admittedly is ahead of myself) I can see ipa-client install logs that are indicating that I do need to create a subdomain zone by itself on the auth server; the installer does a dig SOA test and it does not get the right domain back because I did not separate the records into a new zone - I think .... I did also create an 1.168.192.in-addr.arpa forward on the recursor, and it forced me to use 1.168.192 probably because I am using essentially random ip addresses. But, here for sure I am ahead of myself. This forward however allowed me to successfully do dig -x on various servers, like google, my own auth server etc. OK, now I am stepping back ..... :) ..... On Thu, 2017-02-23 at 08:58 +0000, Brian Candler wrote: > > > On 23/02/2017 03:25, stancs3 wrote: > > > > > > > > > > I am setting up free-ipa with an > > *> > external> > * dns > > server, > > dns server, > > ns1.example.com. > > > > > > > You need to step back a bit. > > > There are two types of DNS server: authoritative and recursive. > > > In your FreeIPA server, /etc/resolv.conf must point to a > *recursive* server. But where you store records like > "ipa1.ipa.example.com" is an *authoritative* server. > > > > > Sometimes people combine both functions into the same server > (bind does this by default). But it's better to separate them. > PowerDNS *forces* you to separate them, since there are separate > pdns-auth and pdns-recursor packages. > > > So your first question should be: where is the DNS recursor which > the FreeIPA server will resolve against? > > > If you have an existing on-site recursor, it's fine to use that. > For most domains, it will find the authoritative nameservers it > needs to talk to by following delegations (NS records). > > > But for 168.192.in-addr.arpa it is impossible to delegate > properly, so you will need to configure your recursive server to > *forward* queries for 168.192.in-addr.arpa to the local > authoritative nameserver. > > > Once you've decided whether you're going to build two new > nameservers (one authoritative and one recursive), or you're going > to going to build an authoritative server and re-use your existing > recursive server but tweak its configuration, we can move on from > there. > > > Regards, > > > Brian. > > > > > >
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
