Re: [Freeipa-devel] Using RPZ to overcome multi Kerberos domains and multiple DNS authorities.

2016-07-19 Thread Petr Spacek
On 18.7.2016 19:44, Jim Glenz wrote:
> IPA DNS configuration using Response Policy Zone (RPZ).
> 
> IPA utilizes DNS extensively to locate service records (SRV) and text
> records (TXT) associated with the Kerberos realm.
> IPA also heavily require DNS A records and PTR records to function
> correctly.
> Normally all A,SRV,TXT,PTR records are part of the same DNS domain zone.
> 
> The following shows how to decouple IPA "TXT and SRV" records only, and
> pass (forward) all other records to another internal DNS server when
> required to have all records (except SRV and TXT) records in the other DNS
> system.
> 
> Note: Below is very customized for specific environment, your environment
> may be different. Just wanted to pass on this DNS trick.
> Methodology used was to implement a BIND instance on at least two servers
> and then configuring a Response Policy Zone (RPZ).
> The RPZ is configured to respond to specific DNS records and forward other
> DNS records onward to next hop DNS.
> 
> All A and PTR records should exist in the next hop DNS authoritative server.
> As mentioned, the following solution is very specific to a unique
> environment.
> 
> IPA members and clinet servers must have their primary/secondary DNS
> resolvers set to the DNS RPZ BIND servers.
> 
> 
> Steps
>  Create your Master and Slave Bind DNS where RPZ will be used (can be your
> IPA server or any other server having Bind DNS installed)
>  Create Response Policy Zone (RPZ) files.
>  Test configuration.
> 
> Search below for " 
> nslookup  
> nslookup  
> 
> nslookup . 
> nslookup . 
> 
> nslookup  
> nslookup . 
> nslookup -type=TXT _kerberos.   Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos-master._tcp.   Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos-master._udp.   Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos._tcp.  Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kerberos._udp.  Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kpasswd._tcp.   Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _kpasswd._udp.   Bind-DNS-RPZ2-IP-address>
> nslookup -type=SRV _ldap._tcp.  Bind-DNS-RPZ2-IP-address>
> 
> nslookup  
> nslookup . 
> nslookup -type=TXT _kerberos.   Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos-master._tcp.   Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos-master._udp.   Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos._tcp.  Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kerberos._udp.  Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kpasswd._tcp.   Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _kpasswd._udp.   Bind-DNS-RPZ1-IP-address>
> nslookup -type=SRV _ldap._tcp.  Bind-DNS-RPZ1-IP-address>
> 
> nslookup google.com 
> nslookup google.com 
> 
> nslookup -type=ptr   Bind-DNS-RPZ2-IP-address>
> nslookup -type=ptr   Bind-DNS-RPZ1-IP-address>
> nslookup -type=ptr   Bind-DNS-RPZ2-IP-address>
> nslookup -type=ptr   Bind-DNS-RPZ1-IP-address>
> 
> 
> Will be referencing reverse.arpa zone 10.x.x.x internal network. Adjust as
> necessary for your environment.
> 
> Appendix A: Primary IPA DNS /etc/named.conf file
> # cat named.conf
> options {
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // the default
> dump-file   "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file  "data/named_mem_stats.txt";
> #forward first;
> forwarders {
> ;
> ;
> };
> response-policy {zone ""; };
> 
> // Any host is permitted to issue recursive queries
> allow-recursion { any; };
> 
>   tkey-gssapi-credential "DNS/";
>   tkey-domain "";
> };
> 
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
>  * By default, SELinux policy does not allow named to modify the /var/named
> directory,
>  * so put the default debug log file in data/ :
>  */
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
> 
> zone "" IN {
> type master;
> file "";
> also-notify {;};
> };
> 
> zone "10.in-addr.arpa" IN {
>  type forward;
> forwarders {
> ;
> ;
> };
> };
> 
> include "/etc/named.rfc1912.zones";
> 
> # dynamic not used, remark out.
> #dynamic-db "ipa" {
> #library "ldap.so";
> #};
> 
> Appendix B: Primary IPA DNS /var/named/ file
> $ORIGIN .
> $TTL 86400  ; 1 day
> .rpz IN SOA  localhost. root.localhost. (
> 201505162150 ; serial
> 3600   ; refresh (1 hour)
> 1800   ; retry (30 minutes)
> 604800 ; expire (1 week)
>   

[Freeipa-devel] Using RPZ to overcome multi Kerberos domains and multiple DNS authorities.

2016-07-18 Thread Jim Glenz
IPA DNS configuration using Response Policy Zone (RPZ).

IPA utilizes DNS extensively to locate service records (SRV) and text
records (TXT) associated with the Kerberos realm.
IPA also heavily require DNS A records and PTR records to function
correctly.
Normally all A,SRV,TXT,PTR records are part of the same DNS domain zone.

The following shows how to decouple IPA "TXT and SRV" records only, and
pass (forward) all other records to another internal DNS server when
required to have all records (except SRV and TXT) records in the other DNS
system.

Note: Below is very customized for specific environment, your environment
may be different. Just wanted to pass on this DNS trick.
Methodology used was to implement a BIND instance on at least two servers
and then configuring a Response Policy Zone (RPZ).
The RPZ is configured to respond to specific DNS records and forward other
DNS records onward to next hop DNS.

All A and PTR records should exist in the next hop DNS authoritative server.
As mentioned, the following solution is very specific to a unique
environment.

IPA members and clinet servers must have their primary/secondary DNS
resolvers set to the DNS RPZ BIND servers.


Steps
 Create your Master and Slave Bind DNS where RPZ will be used (can be your
IPA server or any other server having Bind DNS installed)
 Create Response Policy Zone (RPZ) files.
 Test configuration.

Search below for " 
nslookup  

nslookup . 
nslookup . 

nslookup  
nslookup . 
nslookup -type=TXT _kerberos.  
nslookup -type=SRV _kerberos-master._tcp.  
nslookup -type=SRV _kerberos-master._udp.  
nslookup -type=SRV _kerberos._tcp. 
nslookup -type=SRV _kerberos._udp. 
nslookup -type=SRV _kpasswd._tcp.  
nslookup -type=SRV _kpasswd._udp.  
nslookup -type=SRV _ldap._tcp. 

nslookup  
nslookup . 
nslookup -type=TXT _kerberos.  
nslookup -type=SRV _kerberos-master._tcp.  
nslookup -type=SRV _kerberos-master._udp.  
nslookup -type=SRV _kerberos._tcp. 
nslookup -type=SRV _kerberos._udp. 
nslookup -type=SRV _kpasswd._tcp.  
nslookup -type=SRV _kpasswd._udp.  
nslookup -type=SRV _ldap._tcp. 

nslookup google.com 
nslookup google.com 

nslookup -type=ptr  
nslookup -type=ptr  
nslookup -type=ptr  
nslookup -type=ptr  


Will be referencing reverse.arpa zone 10.x.x.x internal network. Adjust as
necessary for your environment.

Appendix A: Primary IPA DNS /etc/named.conf file
# cat named.conf
options {
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file   "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file  "data/named_mem_stats.txt";
#forward first;
forwarders {
;
;
};
response-policy {zone ""; };

// Any host is permitted to issue recursive queries
allow-recursion { any; };

  tkey-gssapi-credential "DNS/";
  tkey-domain "";
};

/* If you want to enable debugging, eg. using the 'rndc trace' command,
 * By default, SELinux policy does not allow named to modify the /var/named
directory,
 * so put the default debug log file in data/ :
 */
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "" IN {
type master;
file "";
also-notify {;};
};

zone "10.in-addr.arpa" IN {
 type forward;
forwarders {
;
;
};
};

include "/etc/named.rfc1912.zones";

# dynamic not used, remark out.
#dynamic-db "ipa" {
#library "ldap.so";
#};

Appendix B: Primary IPA DNS /var/named/ file
$ORIGIN .
$TTL 86400  ; 1 day
.rpz IN SOA  localhost. root.localhost. (
201505162150 ; serial
3600   ; refresh (1 hour)
1800   ; retry (30 minutes)
604800 ; expire (1 week)
86400  ; minimum (1 day)
)
NS  localhost.
$ORIGIN .rpz.
_kerberos   TXT ""
_ntp_udpSRV 0 100 123 ".
$ORIGIN _tcp..rpz.
_kerberos   SRV 0 100 88 ".
SRV 0 100 88 ".
_kerberos-masterSRV 0 100 88 ".
SRV 0 100 88 ".
_kpasswdSRV 0 100 464 ".
SRV 0 100 464 ".
_ldap   SRV 0 100 389 ".
SRV 0 100 389 ".
$ORIGIN _udp..rpz.
_kerberos   SRV 0 100 88 ".
SRV 0 100 88 ".
_kerberos-masterSRV 0 100 88 ".
SRV 0 100 88 ".
_kpasswdSRV 0 100 464 ".
SRV