subject:"\[Freeipa\-users\] DNS configuration for not resolving some addresses"

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-13 Thread Petr Spacek

On 8.7.2015 20:46, Karl Forner wrote:
> I forgot my main use case: I have name-based reverse proxies (SNI) for some
> web apps/services , that are accessible both from the internal and external
> network.
> They must be accessed with the exact same name/url, otherwise the dispatch
> can not work.
> Until now I manage this by manually editing all /etc/hosts on all internal
> computers, but I had hoped to benefit from the freeIPA DNS a more elegant
> solution.

Standard DNS cannot provide you with this, you need to hack it yourself. Sorry!

Petr Spacek  @  Red Hat

> On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek  wrote:
> 
>> On 8.7.2015 16:32, Karl Forner wrote:
>>> Thanks Petr.
>>>
>>> My use case is: we have scripts that connect to some services, let's say
>> a
>>> docker registry.
>>> I want these scripts to be work either internally or externally, without
>>> changing the URLs.
>>> What would the best or easiest setting to achieve this ?
>>
>> Personally I use config file for this. I.e. the script is the same and
>> URLs,
>> names, passwords, etc. are read from config file stored alongside the
>> script.
>>
>> This allows me to test it easily without any changes in DNS or system-wide
>> configuration like /etc/hosts.
>>
>> Yes, it requires more code, but in long-term it is way more debug-able than
>> DNS tricks.
>>
>> Petr^2 Spacek
>>
>>> On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek  wrote:
>>>
 On 8.7.2015 15:07, Karl Forner wrote:
> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora 
 wrote:
>
>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
>>>
>>> When using my freeIPA DNS name server for my domain example.test, I
 need
>> to
>>> exclude some names from the server( to be forwarded to the DNS
 forwarder
>>> for instance.
>>>
>>> For example, I'd like foo.example.test not to be resolved, but
 forwarded.
>>> How could I implement this ?
>>
>> That would mean you have two different nameservers authoritative for
>> the same DNS domain. That is generally not recommended setup.
>>
>
> Yes, that's what I read, but I do not know how to easily do
>> differently.
> But in the end, what I'd like for my users, is to have foo.example.test
> resolved from the outside to my external server IP, and from the inside
 to
> the internal server IP.

 Such setup is generally not recommended because it is usually pain when
>> it
 comes to long-term operation and maintenance.

 http://www.freeipa.org/page/DNS#Caveats
 http://www.freeipa.org/page/Deployment_Recommendations#DNS


 Two main use-cases are:

 a) Two or more different servers are using the same name and which
>> server
 is
 used depends on client's network.

 This is usually very cumbersome because DNS caching will play against
>> you,
 especially when we introduce system-wide cache into Fedora 23.

 It is also hard to manage and debug because you have to ask the same
 question
 from different networks etc. And it will be harder when you deploy
>> DNSSEC
 to
 increase security...

 The typical recommendation is to use a sub-domain for internal names,
>> e.g.
 i.example.com for internal names and example.com for
 externally-resolvable names.


 b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.

 Yes, it is as bad idea as it sounds.


>> Can't you make foo.example.test a CNAME to foo.example.org or another
>> hostname, in domain with different authoritative DNS server?
>>
>
> Hmm yes that should work, thanks !

 Please keep in mind that it only hides the problem under yet another
>> layer
 of
 indirection.

 
 Yes, it is always possible! We know it because it is written in
 The Twelve Networking Truths:
>> https://tools.ietf.org/html/rfc1925#page-2
 point
 (6) but you should take into account point (3) into account, too :-)
 

 --
 Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner

I forgot my main use case: I have name-based reverse proxies (SNI) for some
web apps/services , that are accessible both from the internal and external
network.
They must be accessed with the exact same name/url, otherwise the dispatch
can not work.
Until now I manage this by manually editing all /etc/hosts on all internal
computers, but I had hoped to benefit from the freeIPA DNS a more elegant
solution.


On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek  wrote:

> On 8.7.2015 16:32, Karl Forner wrote:
> > Thanks Petr.
> >
> > My use case is: we have scripts that connect to some services, let's say
> a
> > docker registry.
> > I want these scripts to be work either internally or externally, without
> > changing the URLs.
> > What would the best or easiest setting to achieve this ?
>
> Personally I use config file for this. I.e. the script is the same and
> URLs,
> names, passwords, etc. are read from config file stored alongside the
> script.
>
> This allows me to test it easily without any changes in DNS or system-wide
> configuration like /etc/hosts.
>
> Yes, it requires more code, but in long-term it is way more debug-able than
> DNS tricks.
>
> Petr^2 Spacek
>
> > On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek  wrote:
> >
> >> On 8.7.2015 15:07, Karl Forner wrote:
> >>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora 
> >> wrote:
> >>>
>  On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
> >
> > When using my freeIPA DNS name server for my domain example.test, I
> >> need
>  to
> > exclude some names from the server( to be forwarded to the DNS
> >> forwarder
> > for instance.
> >
> > For example, I'd like foo.example.test not to be resolved, but
> >> forwarded.
> > How could I implement this ?
> 
>  That would mean you have two different nameservers authoritative for
>  the same DNS domain. That is generally not recommended setup.
> 
> >>>
> >>> Yes, that's what I read, but I do not know how to easily do
> differently.
> >>> But in the end, what I'd like for my users, is to have foo.example.test
> >>> resolved from the outside to my external server IP, and from the inside
> >> to
> >>> the internal server IP.
> >>
> >> Such setup is generally not recommended because it is usually pain when
> it
> >> comes to long-term operation and maintenance.
> >>
> >> http://www.freeipa.org/page/DNS#Caveats
> >> http://www.freeipa.org/page/Deployment_Recommendations#DNS
> >>
> >>
> >> Two main use-cases are:
> >>
> >> a) Two or more different servers are using the same name and which
> server
> >> is
> >> used depends on client's network.
> >>
> >> This is usually very cumbersome because DNS caching will play against
> you,
> >> especially when we introduce system-wide cache into Fedora 23.
> >>
> >> It is also hard to manage and debug because you have to ask the same
> >> question
> >> from different networks etc. And it will be harder when you deploy
> DNSSEC
> >> to
> >> increase security...
> >>
> >> The typical recommendation is to use a sub-domain for internal names,
> e.g.
> >> i.example.com for internal names and example.com for
> >> externally-resolvable names.
> >>
> >>
> >> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.
> >>
> >> Yes, it is as bad idea as it sounds.
> >>
> >>
>  Can't you make foo.example.test a CNAME to foo.example.org or another
>  hostname, in domain with different authoritative DNS server?
> 
> >>>
> >>> Hmm yes that should work, thanks !
> >>
> >> Please keep in mind that it only hides the problem under yet another
> layer
> >> of
> >> indirection.
> >>
> >> 
> >> Yes, it is always possible! We know it because it is written in
> >> The Twelve Networking Truths:
> https://tools.ietf.org/html/rfc1925#page-2
> >> point
> >> (6) but you should take into account point (3) into account, too :-)
> >> 
> >>
> >> --
> >> Petr^2 Spacek
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Petr Spacek

On 8.7.2015 16:32, Karl Forner wrote:
> Thanks Petr.
> 
> My use case is: we have scripts that connect to some services, let's say a
> docker registry.
> I want these scripts to be work either internally or externally, without
> changing the URLs.
> What would the best or easiest setting to achieve this ?

Personally I use config file for this. I.e. the script is the same and URLs,
names, passwords, etc. are read from config file stored alongside the script.

This allows me to test it easily without any changes in DNS or system-wide
configuration like /etc/hosts.

Yes, it requires more code, but in long-term it is way more debug-able than
DNS tricks.

Petr^2 Spacek

> On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek  wrote:
> 
>> On 8.7.2015 15:07, Karl Forner wrote:
>>> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora 
>> wrote:
>>>
 On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
>
> When using my freeIPA DNS name server for my domain example.test, I
>> need
 to
> exclude some names from the server( to be forwarded to the DNS
>> forwarder
> for instance.
>
> For example, I'd like foo.example.test not to be resolved, but
>> forwarded.
> How could I implement this ?

 That would mean you have two different nameservers authoritative for
 the same DNS domain. That is generally not recommended setup.

>>>
>>> Yes, that's what I read, but I do not know how to easily do differently.
>>> But in the end, what I'd like for my users, is to have foo.example.test
>>> resolved from the outside to my external server IP, and from the inside
>> to
>>> the internal server IP.
>>
>> Such setup is generally not recommended because it is usually pain when it
>> comes to long-term operation and maintenance.
>>
>> http://www.freeipa.org/page/DNS#Caveats
>> http://www.freeipa.org/page/Deployment_Recommendations#DNS
>>
>>
>> Two main use-cases are:
>>
>> a) Two or more different servers are using the same name and which server
>> is
>> used depends on client's network.
>>
>> This is usually very cumbersome because DNS caching will play against you,
>> especially when we introduce system-wide cache into Fedora 23.
>>
>> It is also hard to manage and debug because you have to ask the same
>> question
>> from different networks etc. And it will be harder when you deploy DNSSEC
>> to
>> increase security...
>>
>> The typical recommendation is to use a sub-domain for internal names, e.g.
>> i.example.com for internal names and example.com for
>> externally-resolvable names.
>>
>>
>> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.
>>
>> Yes, it is as bad idea as it sounds.
>>
>>
 Can't you make foo.example.test a CNAME to foo.example.org or another
 hostname, in domain with different authoritative DNS server?

>>>
>>> Hmm yes that should work, thanks !
>>
>> Please keep in mind that it only hides the problem under yet another layer
>> of
>> indirection.
>>
>> 
>> Yes, it is always possible! We know it because it is written in
>> The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2
>> point
>> (6) but you should take into account point (3) into account, too :-)
>> 
>>
>> --
>> Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner

Thanks Petr.

My use case is: we have scripts that connect to some services, let's say a
docker registry.
I want these scripts to be work either internally or externally, without
changing the URLs.
What would the best or easiest setting to achieve this ?

On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek  wrote:

> On 8.7.2015 15:07, Karl Forner wrote:
> > On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora 
> wrote:
> >
> >> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
> >>>
> >>> When using my freeIPA DNS name server for my domain example.test, I
> need
> >> to
> >>> exclude some names from the server( to be forwarded to the DNS
> forwarder
> >>> for instance.
> >>>
> >>> For example, I'd like foo.example.test not to be resolved, but
> forwarded.
> >>> How could I implement this ?
> >>
> >> That would mean you have two different nameservers authoritative for
> >> the same DNS domain. That is generally not recommended setup.
> >>
> >
> > Yes, that's what I read, but I do not know how to easily do differently.
> > But in the end, what I'd like for my users, is to have foo.example.test
> > resolved from the outside to my external server IP, and from the inside
> to
> > the internal server IP.
>
> Such setup is generally not recommended because it is usually pain when it
> comes to long-term operation and maintenance.
>
> http://www.freeipa.org/page/DNS#Caveats
> http://www.freeipa.org/page/Deployment_Recommendations#DNS
>
>
> Two main use-cases are:
>
> a) Two or more different servers are using the same name and which server
> is
> used depends on client's network.
>
> This is usually very cumbersome because DNS caching will play against you,
> especially when we introduce system-wide cache into Fedora 23.
>
> It is also hard to manage and debug because you have to ask the same
> question
> from different networks etc. And it will be harder when you deploy DNSSEC
> to
> increase security...
>
> The typical recommendation is to use a sub-domain for internal names, e.g.
> i.example.com for internal names and example.com for
> externally-resolvable names.
>
>
> b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.
>
> Yes, it is as bad idea as it sounds.
>
>
> >> Can't you make foo.example.test a CNAME to foo.example.org or another
> >> hostname, in domain with different authoritative DNS server?
> >>
> >
> > Hmm yes that should work, thanks !
>
> Please keep in mind that it only hides the problem under yet another layer
> of
> indirection.
>
> 
> Yes, it is always possible! We know it because it is written in
> The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2
> point
> (6) but you should take into account point (3) into account, too :-)
> 
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner

Okay, but DNS doesn't work in that way. Zone example.test. is
authoritative, so it must contain the record or delegation or NXDOMAIN is
returned. You cannot have multiple authoritative copies of one zone with
different data.

>
> The best solution would be to have only internal.example.test. zone
> managed by IPA, and add delegation to this zone into example.test.
>

Ok I understand. But in this setting, how would I implement the lookup so
that internally, ipa.example.test would resolve to
ipa.internal.example.test (internal IP), and externally to the external IP ?

thanks



>
> Martin
>
>
>
>
>
>
> On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti  wrote:
>
>>   On 08/07/15 14:26, Karl Forner wrote:
>>
>>Hello,
>>
>>  When using my freeIPA DNS name server for my domain example.test, I need
>> to exclude some names from the server( to be forwarded to the DNS forwarder
>> for instance.
>>
>>  For example, I'd like foo.example.test not to be resolved, but forwarded.
>>  How could I implement this ?
>>
>>  Thanks.
>>  Karl Forner
>>
>>
>>   Hello,
>>
>> If you plan to forward whole subzone, you can use forward zones in IPA.
>>
>> example.test -- master zone
>> foo.example.test -- forward zones
>>
>> which IPA version o IPA do you have?
>> If IPA > 4.0, than you can use ipa dnsforwardzone-add command.
>> Otherwise dnszone-add with --forwarder option
>>
>> Do not forget to add proper NS delegation for all sub zones from parent
>> zone.
>> For example: ipa dnsrecord-add example.test. test
>> --ns-rec=ipa.example.test.
>>
>> --
>> Martin Basti
>>
>>
>
>
> --
> Martin Basti
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Petr Spacek

On 8.7.2015 15:07, Karl Forner wrote:
> On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora  wrote:
> 
>> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
>>>
>>> When using my freeIPA DNS name server for my domain example.test, I need
>> to
>>> exclude some names from the server( to be forwarded to the DNS forwarder
>>> for instance.
>>>
>>> For example, I'd like foo.example.test not to be resolved, but forwarded.
>>> How could I implement this ?
>>
>> That would mean you have two different nameservers authoritative for
>> the same DNS domain. That is generally not recommended setup.
>>
> 
> Yes, that's what I read, but I do not know how to easily do differently.
> But in the end, what I'd like for my users, is to have foo.example.test
> resolved from the outside to my external server IP, and from the inside to
> the internal server IP.

Such setup is generally not recommended because it is usually pain when it
comes to long-term operation and maintenance.

http://www.freeipa.org/page/DNS#Caveats
http://www.freeipa.org/page/Deployment_Recommendations#DNS

Two main use-cases are:

a) Two or more different servers are using the same name and which server is
used depends on client's network.

This is usually very cumbersome because DNS caching will play against you,
especially when we introduce system-wide cache into Fedora 23.

It is also hard to manage and debug because you have to ask the same question
from different networks etc. And it will be harder when you deploy DNSSEC to
increase security...

The typical recommendation is to use a sub-domain for internal names, e.g.
i.example.com for internal names and example.com for externally-resolvable 
names.

b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.

Yes, it is as bad idea as it sounds.

>> Can't you make foo.example.test a CNAME to foo.example.org or another
>> hostname, in domain with different authoritative DNS server?
>>
> 
> Hmm yes that should work, thanks !

Please keep in mind that it only hides the problem under yet another layer of
indirection.

Yes, it is always possible! We know it because it is written in
The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 point
(6) but you should take into account point (3) into account, too :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Martin Basti


On 08/07/15 16:14, Karl Forner wrote:

Thanks Martin, but I do not want to forward the whole subzone.

I have the example.test zone from my web hosting site, that manages 
also the domain example.test

I use the example.test domain in freeIPA.
So the problem is that in the internal network, I can no longer 
resolve www.example.test.


Of course I can define all such names manually in the freeIPA dns, but 
ideally (or naively) I'd like a way to
configure the freeIPA dns like: if you do not know foo.example.test, 
instead of returning NXDOMAIN, please forward the request to this 
other nameserver.
Okay, but DNS doesn't work in that way. Zone example.test. is 
authoritative, so it must contain the record or delegation or NXDOMAIN 
is returned. You cannot have multiple authoritative copies of one zone 
with different data.


The best solution would be to have only internal.example.test. zone 
managed by IPA, and add delegation to this zone into example.test.


Martin






On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti > wrote:


On 08/07/15 14:26, Karl Forner wrote:

Hello,

When using my freeIPA DNS name server for my domain example.test,
I need to exclude some names from the server( to be forwarded to
the DNS forwarder for instance.

For example, I'd like foo.example.test not to be resolved, but
forwarded.
How could I implement this ?

Thanks.
Karl Forner



Hello,

If you plan to forward whole subzone, you can use forward zones in
IPA.

example.test -- master zone
foo.example.test -- forward zones

which IPA version o IPA do you have?
If IPA > 4.0, than you can use ipa dnsforwardzone-add command.
Otherwise dnszone-add with --forwarder option

Do not forget to add proper NS delegation for all sub zones from
parent zone.
For example: ipa dnsrecord-add example.test. test
--ns-rec=ipa.example.test.

-- 
Martin Basti






--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner

Thanks Martin, but I do not want to forward the whole subzone.

I have the example.test zone from my web hosting site, that manages also
the domain example.test
I use the example.test domain in freeIPA.
So the problem is that in the internal network, I can no longer resolve
www.example.test.

Of course I can define all such names manually in the freeIPA dns, but
ideally (or naively) I'd like a way to
configure the freeIPA dns like: if you do not know foo.example.test,
instead of returning NXDOMAIN, please forward the request to this other
nameserver.

On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti  wrote:

>  On 08/07/15 14:26, Karl Forner wrote:
>
>Hello,
>
>  When using my freeIPA DNS name server for my domain example.test, I need
> to exclude some names from the server( to be forwarded to the DNS forwarder
> for instance.
>
>  For example, I'd like foo.example.test not to be resolved, but forwarded.
>  How could I implement this ?
>
>  Thanks.
>  Karl Forner
>
>
>  Hello,
>
> If you plan to forward whole subzone, you can use forward zones in IPA.
>
> example.test -- master zone
> foo.example.test -- forward zones
>
> which IPA version o IPA do you have?
> If IPA > 4.0, than you can use ipa dnsforwardzone-add command.
> Otherwise dnszone-add with --forwarder option
>
> Do not forget to add proper NS delegation for all sub zones from parent
> zone.
> For example: ipa dnsrecord-add example.test. test
> --ns-rec=ipa.example.test.
>
> --
> Martin Basti
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Martin Basti


On 08/07/15 14:26, Karl Forner wrote:

Hello,

When using my freeIPA DNS name server for my domain example.test, I 
need to exclude some names from the server( to be forwarded to the DNS 
forwarder for instance.


For example, I'd like foo.example.test not to be resolved, but forwarded.
How could I implement this ?

Thanks.
Karl Forner



Hello,

If you plan to forward whole subzone, you can use forward zones in IPA.

example.test -- master zone
foo.example.test -- forward zones

which IPA version o IPA do you have?
If IPA > 4.0, than you can use ipa dnsforwardzone-add command.
Otherwise dnszone-add with --forwarder option

Do not forget to add proper NS delegation for all sub zones from parent 
zone.

For example: ipa dnsrecord-add example.test. test --ns-rec=ipa.example.test.

--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner

On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora  wrote:

> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
> >
> > When using my freeIPA DNS name server for my domain example.test, I need
> to
> > exclude some names from the server( to be forwarded to the DNS forwarder
> > for instance.
> >
> > For example, I'd like foo.example.test not to be resolved, but forwarded.
> > How could I implement this ?
>
> That would mean you have two different nameservers authoritative for
> the same DNS domain. That is generally not recommended setup.
>

Yes, that's what I read, but I do not know how to easily do differently.
But in the end, what I'd like for my users, is to have foo.example.test
resolved from the outside to my external server IP, and from the inside to
the internal server IP.


>
> Can't you make foo.example.test a CNAME to foo.example.org or another
> hostname, in domain with different authoritative DNS server?
>

Hmm yes that should work, thanks !



>
> --
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red
> Hat
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Jan Pazdziora

On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
> 
> When using my freeIPA DNS name server for my domain example.test, I need to
> exclude some names from the server( to be forwarded to the DNS forwarder
> for instance.
> 
> For example, I'd like foo.example.test not to be resolved, but forwarded.
> How could I implement this ?

That would mean you have two different nameservers authoritative for
the same DNS domain. That is generally not recommended setup.

Can't you make foo.example.test a CNAME to foo.example.org or another
hostname, in domain with different authoritative DNS server?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner

Hello,

When using my freeIPA DNS name server for my domain example.test, I need to
exclude some names from the server( to be forwarded to the DNS forwarder
for instance.

For example, I'd like foo.example.test not to be resolved, but forwarded.
How could I implement this ?

Thanks.
Karl Forner
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

Re: [Freeipa-users] DNS configuration for not resolving some addresses

[Freeipa-users] DNS configuration for not resolving some addresses

12 matches

Site Navigation

Mail list logo

Footer information