Re: [Freeipa-users] DNS reverse Zones on other server

[Petr Spacek]

Hi,

first of all, please always keep mailing list in Cc. I re-added it back. See
below:

On 2.5.2016 14:40, Wanka, Silvio wrote:
> Petr Spacek wrote:
>> >
> 
> Again Thx for you answer!
> 
>> > It works differently. DNS updates from clients would be forwarded to AD
>> > server (as today) and two-way trust would enable AD to authenticate IPA
>> > clients.
> This is not what I need, my IPA "clients" are always servers with statically 
> IP addresses, i.e. "ipa-client-install" creates a fix A record and the 
> enabled "Allow PTR sync" does nothing because it can't.
> 
>> > Anyway, neither slave nor stub would help you with this problem as both
>> > types are by definition read-only.
> In bind exists an option "allow-update-forwarding" which would offer such 
> possibility but then IPA must use it if the a record should be created but 
> the zone is locally. Maybe in the future. I know from Windows DNS servers 
> which are not Domain Controllers what the forward the request of its clients 
> to create or update a DNS record to the DCs if the domain is configured e.g. 
> as stub zone on this non DC DNS servers.

AFAIK this works only when local server is authoritative for the zone. As far
as I understood you IPA is not authoritative for the reverse zones so it would
do nothing.

I'm curious how this options works with GSS-TSIG updates, I never tried that.

You might set-up slave zone manually in named.conf and then try to enable this
option. Please report your findings to the mailing list, I'm very curious.

I hope this will help.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS reverse Zones on other server

[Petr Spacek]

On 29.4.2016 17:46, Wanka, Silvio wrote:
> Hi,
> 
> if I search in the web for this problem I don’t find an useable solution, 
> maybe my search pattern is wrong. ;-)
> 
> I have setup an IPA domain with integrated DNS but because the most systems 
> here are Windows servers and clients the IPA clients must use the same IP 
> ranges. So the reverse zones are located on AD domain controllers. These 
> reverse zones are of course configured as forward zones on the IPA DNS 
> server. So reverse lookup works properly for all AD computers but I miss a 
> possibility that if we join a computer to IPA which adds a DNS record or 
> manually add a DNS record that the reverse record will be automatically added 
> on AD site as it would be done if the reverse zone would be located on IPA 
> site.
> Is there the only possibility to manage the reverse record on AD site 
> manually or update/refresh it per regular running script?
> 
> I have a one-way trust to AD but won’t change it to two-way, if necessary and 
> possible I would use a special AD account for that.

I can see two options:
- configure DHCP server to somehow update the DNS server (to avoid
authentication of client machines to to the DNS server for updates)

- use two-way trust - you already denied this option

Sorry, we do not have better answer for you right now.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS reverse Zones on other server

[Wanka, Silvio]

Hi,

if I search in the web for this problem I don’t find an useable solution, maybe 
my search pattern is wrong. ;-)

I have setup an IPA domain with integrated DNS but because the most systems 
here are Windows servers and clients the IPA clients must use the same IP 
ranges. So the reverse zones are located on AD domain controllers. These 
reverse zones are of course configured as forward zones on the IPA DNS server. 
So reverse lookup works properly for all AD computers but I miss a possibility 
that if we join a computer to IPA which adds a DNS record or manually add a DNS 
record that the reverse record will be automatically added on AD site as it 
would be done if the reverse zone would be located on IPA site.
Is there the only possibility to manage the reverse record on AD site manually 
or update/refresh it per regular running script?

I have a one-way trust to AD but won’t change it to two-way, if necessary and 
possible I would use a special AD account for that.

TIA,
Silvio

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. 
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
gestattet.



Wir arbeiten ausschließlich auf Grundlage der Allgemeinen Deutschen 
Spediteurbedingungen, jeweils neuester Fassung. Diese beschränken in Ziffer 23 
ADSp die gesetzliche Haftung für Güterschäden nach § 431 HGB für Schäden im 
speditionellen Gewahrsam auf 5,-- Euro/kg, bei multimodalen Transporten unter 
Einschluss einer Seebeförderung auf 2 SZR/kg sowie ferner je Schadenfall bzw. 
-ereignis auf 1 Mio. bzw. 2 Mio. Euro oder 2 SZR/kg, je nachdem, welcher Betrag 
höher ist. Ergänzend wird vereinbart, dass (1) Ziffer 27 ADSp weder die Haftung 
des Spediteurs noch die Zurechnung des Verschuldens von Leuten und sonstigen 
Dritten abweichend von gesetzlichen Vorschriften wie § 507 HGB, Art. 25 MÜ, 
Art. 36 CIM, Art. 20, 21 CMNI zu Gunsten des Auftraggebers erweitert, (2) der 
Spediteur als Verfrachter in den in § 512 Abs. 2 Nr. 1 HGB aufgeführten Fällen 
des nautischen Verschulden oder Feuer an Bord nur für eigenes Verschulden 
haftet und (3) der Spediteur als Frachtführer im Sinne der CMNI unter den in 
Art. 25 Abs. 2 CMNI genannten Voraussetzungen nicht für nautisches Verschulden, 
Feuer an Bord oder Mängel des Schiffes haftet.



All our business is transacted exclusively on the basis of the German Freight 
Forwarders' Standard Terms and Conditions (ADSp), and, to the extent these do 
not apply to logistics services, in accordance with the General Terms and 
Conditions for Logistics (Logistik-AGB) most recent edition. Under Clause 23 
ADSp, liability for damage/loss to goods according to § 431 HGB (German 
Commercial Code) is limited - to 5 EUR/kg whilst in the custody of the freight 
forwarder - to 2 SDR/kg (Special Drawing Rights) for multimodal carriage incl. 
sea transport - to 1 million EUR or 2 SDR/kg per claim or to 2 million EUR or 2 
SDR/kg per event, irrespective of the number of claims per event, in each case 
whichever is higher. If we are liable according to the provisions of the 
Montreal Convention, clause 27 ADSp shall not apply. Clause 27 ADSp shall also 
not be considered as an extension of our liability through imputation of 
default by agents, representatives, employees, subcontractors or other third 
parties in the cases of Art. 36 CIM, Art. 21 CMNI or section 660 HGB. Otherwise 
clause 27 ADSp shall remain unaffected.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project