Re: [Freeipa-users] ipa-dns-install on a remote host?
On 5.7.2013 17:59, Schmitt, Christian wrote: Yeah i know that feature, but when i have a View i need to declare two zonefiles (i need to create one by hand and the other will getting created by the ipa-dns) thats not exactly what i'm looking for since some sites shall be the same on both sites, like domain.tld and www.domain.tld are the same on both sites. but domain.tld is also a freeipa domain and intra.domain.tld should only be routed through clients but stash.domain.tld and jira.domain.tld should have both so that it is accessible through the internet but the local clients should use the local ips. isn't there a delegate like feature? or even a feature in freeipa that lets me delegate some entries only to internal hosts. 2013/7/5 Anthony Messina amess...@messinet.com On Friday, July 05, 2013 04:18:37 PM Schmitt, Christian wrote: Btw. are there any tips by having a second nameserver (public) that just gives out the important/public hosts? Or is there a good way in having a domain configured twice? like the internal ip for ipa-users and the external ip for the people outside of the internal firewall? Unrelated to FreeIPA, BIND has support for views, which may accomplish this task for you: http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409 Hello, FreeIPA doesn't support BIND views. The simplest way how to serve some records only to internal network but not to the public Internet is this: 1. create public zone example.com, fill it with shared (public + internal) records 2. create internal zone 'in.example.com', configure zone delegation from example.com (NS+A records), add 'internal only' records 3. configure internal zone 'in.example.com' to accept queries only from internal network ($ ipa dnszone-mod in.example.com --allow-query='192.0.2.0/24;') I believe that this solves the basic use case. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-dns-install on a remote host?
Schmitt, Christian wrote: is it possible to install ipa-dns-install on a remote host that is only connect via vpn? I mean this i my current network structure: Host (Internet) Intranet VPN Access Provider tun - tun FreeIPA Server dc01 dc02 when i now try to ipa-dns-install with the ip from the client ip of the tun device of the FreeIPA Server i always get an error that the ip is not on my device. Is there an easy way of having the DNS of the FreeIPA Server on an Internet Machine? I mean it will work if i replicate the whole ipa-server but that is somehow a little bit of an overkill. We provide no tool to configure DNS as a standalone service. The ipa-dns-install tool will only configure a bind server running on an IPA master. It is possible to configure bind/bind-dyndb-ldap to run on another host but you'd likely have performance issues and there could be problems at upgrade if we make configuration changes (they wouldn't be applied to your manually-configured instance). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-dns-install on a remote host?
On Friday, July 05, 2013 04:18:37 PM Schmitt, Christian wrote: Btw. are there any tips by having a second nameserver (public) that just gives out the important/public hosts? Or is there a good way in having a domain configured twice? like the internal ip for ipa-users and the external ip for the people outside of the internal firewall? Unrelated to FreeIPA, BIND has support for views, which may accomplish this task for you: http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409 -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users