Re: [Freeipa-users] Split Horizon DNS config
On 6.5.2015 10:06, Petr Spacek wrote: General advice about views is 'do not use them' :-) It is much cleaner to put internal names in a sub-domain like int.example.com. (while example.com. is the public-facing domain) and restrict access to this sub-domain using ACL. In long term it will make your life much easier when it comes to DNSSEC validation. Please see http://www.freeipa.org/page/Deployment_Recommendations#DNS for other related recommendations. I hope this helps. I tried to summarize this for future generations: http://www.freeipa.org/page/DNS#Caveats -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Split Horizon DNS config
Hi can someone validate this config for bind + split horizon (only the views part): acl internal { 127.0.0.1; 172.16.0.0/12; }; view internal { match-clients { internal; }; recursion yes; dynamic-db ipa { library ldap.so; arg uri ldapi://%2fvar%2frun%2fslapd-HSO.socket; arg base cn=dns, dc=hso; arg fake_mname ipa-2.mgmt.hss.int.; arg auth_method sasl; arg sasl_mech GSSAPI; arg sasl_user DNS/ipa-2.mgmt.hss.int; arg serial_autoincrement yes; }; zone . IN { type hint; file named.ca; }; include /etc/named.rfc1912.zones; include /etc/named.root.key; }; view external { match-clients { any; }; recursion yes; zone mgmt.hss.int { type master; file mgmt.hss.int.db; }; zone in-addr.arpa { type forward; forward only; forwarders { 172.16.8.210; }; }; zone . IN { type hint; file named.ca; }; include /etc/named.rfc1912.zones; include /etc/named.root.key; }; it works but its a little bit unclean hack IMHO. Bind 9.9 in rhel7.1 doesnt support 'in-view' thats the reason why I use a the same host but the ip from internal acl her: zone in-addr.arpa { type forward; forward only; forwarders { 172.16.8.210; }; }; is there something what can make problems? MfG Christoph Kaminski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project