Re: [Freeipa-users] Split Horizon DNS config

2015-05-06 Thread Petr Spacek 
On 6.5.2015 10:06, Petr Spacek wrote:
 General advice about views is
 'do not use them' :-)
 
 It is much cleaner to put internal names in a sub-domain like int.example.com.
 (while example.com. is the public-facing domain) and restrict access to this
 sub-domain using ACL.
 
 In long term it will make your life much easier when it comes to DNSSEC
 validation. Please see
 http://www.freeipa.org/page/Deployment_Recommendations#DNS for other related
 recommendations.
 
 I hope this helps.

I tried to summarize this for future generations:
http://www.freeipa.org/page/DNS#Caveats

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Split Horizon DNS config

2015-05-04 Thread Christoph Kaminski 
Hi

can someone validate this config for bind + split horizon (only the views 
part):

acl internal {
127.0.0.1;
172.16.0.0/12; 
};

view internal
{
match-clients   { internal; };
recursion yes; 

dynamic-db ipa { 
library ldap.so;  
arg uri ldapi://%2fvar%2frun%2fslapd-HSO.socket; 
  
arg base cn=dns, dc=hso;   
arg fake_mname ipa-2.mgmt.hss.int.;
arg auth_method sasl;
arg sasl_mech GSSAPI;
arg sasl_user DNS/ipa-2.mgmt.hss.int;
arg serial_autoincrement yes;
};

zone . IN {
type hint;
file named.ca;
};

include /etc/named.rfc1912.zones;
include /etc/named.root.key;

};

view external
{
match-clients   { any; };
recursion yes;

zone mgmt.hss.int {
type master;
file mgmt.hss.int.db;
};

zone in-addr.arpa {
type forward;
forward only; 
forwarders { 172.16.8.210; };
};

zone . IN {
type hint;
file named.ca;
};

include /etc/named.rfc1912.zones; 
include /etc/named.root.key;
};

it works but its a little bit unclean hack IMHO. Bind 9.9 in rhel7.1 
doesnt support 'in-view' thats the reason why I use a the same host but 
the ip from internal acl her:

zone in-addr.arpa {
type forward;
forward only; 
forwarders { 172.16.8.210; };
};

is there something what can make problems?

MfG
Christoph Kaminski



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project