Re: [Pdns-users] pdns << free-ipa with external dns

Thu, 23 Feb 2017 12:13:42 -0800 

On 23/02/2017 19:38, stancs3 wrote:



In your FreeIPA server, /etc/resolv.conf must point to a *recursive* 
server.





I have this set up with pdns-recusor. Pdns-recursor then forwards to 
the pdns auth server.



OK, that's fine. I have FreeIPA set up like that too.


There are a few magic records you ought to put into your "IPA domain" to 
allow discovery of the servers for that realm.



Your actual hosts don't need to be in the same realm. So for example 
your IPA servers could be foo.int.example.com and bar.int.example.com, 
but the IPA domain could be ipa.example.com (corresponding to 
IPA.EXAMPLE.COM as the Kerberos realm)



You can declare that hosts under *.int.example.com and *.ipa.example.com 
belong to the same realm like this:


_kerberos.int.example.com. TXT "IPA.EXAMPLE.COM"
_kerberos.ipa.example.com. TXT "IPA.EXAMPLE.COM"


With this setup I can dig forward and reverse and get the prescribed 
results for freeipa, but it's probably an illusion.



No, it sounds reasonable enough to me.





On the path I am now (which admittedly is ahead of myself) I can see 
ipa-client install logs that are indicating that I do need to create a 
subdomain zone by itself on the auth server; the installer does a dig 
SOA test and it does not get the right domain back because I did not 
separate the records into a new zone - I think ....

ipa-server-install?


You don't need to create a subdomain. But I think we've veered off pdns 
and into FreeIPA territory.  There's a separate FreeIPA list you can join.





I did also create an 1.168.192.in-addr.arpa forward on the recursor, 
and it forced me to use 1.168.192 probably because I am using 
essentially random ip addresses.

I have no idea what you mean by that. Create 1.168.192.in-addr.arpa as 
an authoritative zone, and forward it.


# recursor.conf
forward-zones-file=/etc/powerdns/forward-zones

# forward-zones

1.168.192.in-addr.arpa=x.x.x.x,y.y.y.y   # IP address(es) of 
authoritative server(s)



This is assuming you built your network using 192.168.1.x IP addresses.  
But nobody forced you to do that :-)


Regards,

Brian.
_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users






















					Reply via email to