On 18.7.2016 19:44, Jim Glenz wrote:
> IPA DNS configuration using Response Policy Zone (RPZ).
>
> IPA utilizes DNS extensively to locate service records (SRV) and text
> records (TXT) associated with the Kerberos realm.
> IPA also heavily require DNS A records and PTR records to function
> correctly.
> Normally all A,SRV,TXT,PTR records are part of the same DNS domain zone.
>
> The following shows how to decouple IPA "TXT and SRV" records only, and
> pass (forward) all other records to another internal DNS server when
> required to have all records (except SRV and TXT) records in the other DNS
> system.
>
> Note: Below is very customized for specific environment, your environment
> may be different. Just wanted to pass on this DNS trick.
> Methodology used was to implement a BIND instance on at least two servers
> and then configuring a Response Policy Zone (RPZ).
> The RPZ is configured to respond to specific DNS records and forward other
> DNS records onward to next hop DNS.
>
> All A and PTR records should exist in the next hop DNS authoritative server.
> As mentioned, the following solution is very specific to a unique
> environment.
>
> IPA members and clinet servers must have their primary/secondary DNS
> resolvers set to the DNS RPZ BIND servers.
>
>
> Steps
> Create your Master and Slave Bind DNS where RPZ will be used (can be your
> IPA server or any other server having Bind DNS installed)
> Create Response Policy Zone (RPZ) files.
> Test configuration.
>
> Search below for "
> nslookup
> nslookup
>
> nslookup .
> nslookup .
>
> nslookup
> nslookup .
> nslookup -type=TXT _kerberos. Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos-master._tcp. Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos-master._udp. Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos._tcp. Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos._udp. Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kpasswd._tcp. Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kpasswd._udp. Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _ldap._tcp. Bind-DNS-RPZ2-IP-address>
>
> nslookup
> nslookup .
> nslookup -type=TXT _kerberos. Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos-master._tcp. Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos-master._udp. Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos._tcp. Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos._udp. Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kpasswd._tcp. Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kpasswd._udp. Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _ldap._tcp. Bind-DNS-RPZ1-IP-address>
>
> nslookup google.com
> nslookup google.com
>
> nslookup -type=ptr Bind-DNS-RPZ2-IP-address>
> nslookup -type=ptr Bind-DNS-RPZ1-IP-address>
> nslookup -type=ptr Bind-DNS-RPZ2-IP-address>
> nslookup -type=ptr Bind-DNS-RPZ1-IP-address>
>
>
> Will be referencing reverse.arpa zone 10.x.x.x internal network. Adjust as
> necessary for your environment.
>
> Appendix A: Primary IPA DNS /etc/named.conf file
> # cat named.conf
> options {
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> #forward first;
> forwarders {
> ;
> ;
> };
> response-policy {zone ""; };
>
> // Any host is permitted to issue recursive queries
> allow-recursion { any; };
>
> tkey-gssapi-credential "DNS/";
> tkey-domain "";
> };
>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
> * By default, SELinux policy does not allow named to modify the /var/named
> directory,
> * so put the default debug log file in data/ :
> */
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "" IN {
> type master;
> file "";
> also-notify {;};
> };
>
> zone "10.in-addr.arpa" IN {
> type forward;
> forwarders {
> ;
> ;
> };
> };
>
> include "/etc/named.rfc1912.zones";
>
> # dynamic not used, remark out.
> #dynamic-db "ipa" {
> #library "ldap.so";
> #};
>
> Appendix B: Primary IPA DNS /var/named/ file
> $ORIGIN .
> $TTL 86400 ; 1 day
> .rpz IN SOA localhost. root.localhost. (
> 201505162150 ; serial
> 3600 ; refresh (1 hour)
> 1800 ; retry (30 minutes)
> 604800 ; expire (1 week)
>