Jon, thank you so much. I will take sometime to test this changes with your comments. I will report back to the list.
Really, this message was awesome. Thank you one more time. V. > On 12 Sep 2019, at 06:11, Jon Diprose <j...@well.ox.ac.uk> wrote: > > Hi Vinícius, > > I am looking at exactly this at the moment. My experience so far is that: > > - xCAT’s ‘makedns -e’ uses TSIG to update at least the first dns server in > the master’s /etc/resolv.conf > - xCAT’s TSIG key appears to be hmac-md5 > + I’d like to know if I could go to hmac-sha512 instead but I think that may > be hardcoded as the hashing function declaration isn’t in the omapi entry of > the password table, just the secret > - https://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG > <https://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG> > basically applies > - add the xcat_key stanza to the /etc/named.conf files and ‘rndc reload’ on > all FreeIPA replicas > - for the relevant FreeIPA forward zones the update-policy ‘grant xcat_key > zonesub A CNAME;’ is required in addition to whatever is already there > + if you are doing that at the command line, ‘ipa dnszone-show zone.name. > --all’ shows the existing policy > + note that ‘ipa dnszone-mod zone.name. --update-policy …’ replaces and does > not append > - for the relevant FreeIPA reverse zones the update-policy ‘grant xcat_key > zonesub PTR;’ is required in addition to whatever is already there > - those may not be the most appropriate policy wordings but they work for me > - ‘ipa dnszone-mod zone.name. --dynamic-update true’ is required for both > forward and reverse zones > - the ‘@’ records and Authoritative Server settings that FreeIPA creates by > default may need adjusting if those defaults are not reachable by your xCAT > master > - you can test the talking-to-FreeIPA bit without any of the xCAT stuff using > the ‘nsupdate’ command > - I haven’t yet attempted to enrol my xCAT master as an IPA client so I’ve no > idea if kinit’ing with appropriate privilege would make the TSIG key work > unnecessary - I don’t know if xCAT can speak GSS-TSIG > > > ‘makedns -e’ now almost works for me - it updates the all IPA dns records > that I am expecting from my xCAT config and a few more I wasn’t expecting > from having manually added stuff to my /etc/hosts, all without touching the > existing local config. It is still returning an exit code of 1 so there’s > still something to track down, but I think that is now down to > inconsistencies and oddities in my xCAT config and /etc/hosts file, > complicated by my particular setup not being authoritative for some domains I > use. > > I also ship fully-populated /etc/hosts files to all our xCAT-managed nodes, > so I’m hoping for a seamless changeover when redirecting the nodes to the > FreeIPA DNS instances instead of the one on the xCAT master. > > I hope that helps and I’d appreciate hearing about anything you learn along > the way! > > Jon > > -- > Dr. Jonathan Diprose <j...@well.ox.ac.uk <mailto:j...@well.ox.ac.uk>> > Tel: 01865 287837 > Research Computing Manager > Henry Wellcome Building for Genomic Medicine Roosevelt Drive, Headington, > Oxford OX3 7BN > > From: Vinícius Ferrão via xCAT-user [mailto:xcat-user@lists.sourceforge.net] > Sent: 11 September 2019 15:32 > To: xCAT Users Mailing list > Cc: Vinícius Ferrão > Subject: [xcat-user] Removing BIND from xCAT > > Hello, > > I’ve came across this documentation page: > https://xcat-docs.readthedocs.io/en/stable/advanced/domain_name_resolution/domain_name_resolution.html#option-2-use-a-dns-that-is-outside-of-the-cluster > > <https://xcat-docs.readthedocs.io/en/stable/advanced/domain_name_resolution/domain_name_resolution.html#option-2-use-a-dns-that-is-outside-of-the-cluster> > > And it says specifically that I can use an external DNS server. > > So the point is, with this option xCAT does not even use the shipped BIND? > > Can it coexist with another BIND daemon on the same machine? > > I’m interested in installing FreeIPA and enabling DNS integrated Zones, so > FreeIPA handles the DNS service. > > Thanks, > > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user