Re: [Freeipa-users] Export DNS to external
A DNS slave here is no different. The slave does not get its
information from IPA. It gets it from a basic zone update from the
master. Configure your slave like you would configure any other DNS
slave.
Terry
Sent from my iPhone
> On Jan 28, 2014, at 7:48 AM, "Choudhury, Suhail"
> wrote:
>
> Hi,
>
> We are looking at adding redundancy to our IPA setup by using DNS
> servers external to our IPA servers, so in the event of IPA dying we can
> still resolve against these external DNS servers.
>
> So I'm looking at how I can add a server running BIND as a DNS slave.
>
> Normally on a DNS slave we can set something like the following in
> named.conf:
>
> =
>
> // query-source address * port 53;
> allow-transfer {208.99.198.184/32;};
> };
>
> //
> // a caching only nameserver config
> //
>
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> };
>
> zone "localhost" IN {
> type master;
> file "localhost.zone";
> allow-update { none; };
> };
>
> zone "yourdomain.com" IN {
> type slave;
> file "/var/named/yourdomain.com.zone";
> // allow-update { none; };
> allow-transfer { 192.168.0.1/32; };
> masters { 192.168.0.1; };
> };
>
> zone "0.168.192.in-addr.arpa" IN {
> type slave;
> file "/var/named/0.168.192.rev";
> // allow-update { none; };
> allow-transfer { 192.168.0.1/32; };
> masters { 192.168.0.1; };
> };
>
> =
>
> In the IPA server's named.conf I see DNS entries are loaded up via LDAP:
>
> =
>
> include "/etc/named.rfc1912.zones";
>
> dynamic-db "ipa" {
>library "ldap.so";
>arg "uri ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-COM.socket";
>arg "base cn=dns, dc=sub,dc=domain,dc=com";
>arg "fake_mname ipa01.sub.domain.com.";
>arg "auth_method sasl";
>arg "sasl_mech GSSAPI";
>arg "sasl_user DNS/ipa01.sub.domain.com";
>arg "zone_refresh 0";
>arg "psearch yes";
>arg "connections 4";
>arg "serial_autoincrement yes";
> };
>
> =
>
> Has anyone successfully pulled DNS zones out of IPA to BIND slaves?
>
> --
> Regards,
> Suhail.
> DevOps(Recs), BSkyB.
>
>
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone. Please
> note we reserve the right to monitor all e-mail communication through our
> internal and external networks. SKY and the SKY marks are trademarks of
> British Sky Broadcasting Group plc and Sky International AG and are used
> under licence. British Sky Broadcasting Limited (Registration No. 2906991),
> Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers
> Services Limited (Registration No. 2340150) are direct or indirect
> subsidiaries of British Sky Broadcasting Group plc (Registration No.
> 2247735). All of the companies mentioned in this!
p!
> aragraph are incorporated in England and Wales and share the same registered
> office at Grant Way, Isleworth, Middlesex TW7 5QD.
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export DNS to external
On Tue, 28 Jan 2014, Choudhury, Suhail wrote: Hi, We are looking at adding redundancy to our IPA setup by using DNS servers external to our IPA servers, so in the event of IPA dying we can still resolve against these external DNS servers. So I'm looking at how I can add a server running BIND as a DNS slave. We have this presentation: http://www.freeipa.org/images/b/b6/Freeipa30_DNS_zone_transfers.pdf -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Export DNS to external
Hi,
We are looking at adding redundancy to our IPA setup by using DNS
servers external to our IPA servers, so in the event of IPA dying we can
still resolve against these external DNS servers.
So I'm looking at how I can add a server running BIND as a DNS slave.
Normally on a DNS slave we can set something like the following in
named.conf:
=
// query-source address * port 53;
allow-transfer {208.99.198.184/32;};
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "yourdomain.com" IN {
type slave;
file "/var/named/yourdomain.com.zone";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "/var/named/0.168.192.rev";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};
=
In the IPA server's named.conf I see DNS entries are loaded up via LDAP:
=
include "/etc/named.rfc1912.zones";
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-COM.socket";
arg "base cn=dns, dc=sub,dc=domain,dc=com";
arg "fake_mname ipa01.sub.domain.com.";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/ipa01.sub.domain.com";
arg "zone_refresh 0";
arg "psearch yes";
arg "connections 4";
arg "serial_autoincrement yes";
};
=
Has anyone successfully pulled DNS zones out of IPA to BIND slaves?
--
Regards,
Suhail.
DevOps(Recs), BSkyB.
Information in this email including any attachments may be privileged,
confidential and is intended exclusively for the addressee. The views expressed
may not be official policy, but the personal views of the originator. If you
have received it in error, please notify the sender by return e-mail and delete
it from your system. You should not reproduce, distribute, store, retransmit,
use or disclose its contents to anyone. Please note we reserve the right to
monitor all e-mail communication through our internal and external networks.
SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and
Sky International AG and are used under licence. British Sky Broadcasting
Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration
No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150)
are direct or indirect subsidiaries of British Sky Broadcasting Group plc
(Registration No. 2247735). All of the companies mentioned in this p!
aragraph are incorporated in England and Wales and share the same registered
office at Grant Way, Isleworth, Middlesex TW7 5QD.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
