Re: [Freeipa-users] DNS configuration for not resolving some addresses
On 8.7.2015 20:46, Karl Forner wrote: I forgot my main use case: I have name-based reverse proxies (SNI) for some web apps/services , that are accessible both from the internal and external network. They must be accessed with the exact same name/url, otherwise the dispatch can not work. Until now I manage this by manually editing all /etc/hosts on all internal computers, but I had hoped to benefit from the freeIPA DNS a more elegant solution. Standard DNS cannot provide you with this, you need to hack it yourself. Sorry! Petr Spacek @ Red Hat On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek pspa...@redhat.com wrote: On 8.7.2015 16:32, Karl Forner wrote: Thanks Petr. My use case is: we have scripts that connect to some services, let's say a docker registry. I want these scripts to be work either internally or externally, without changing the URLs. What would the best or easiest setting to achieve this ? Personally I use config file for this. I.e. the script is the same and URLs, names, passwords, etc. are read from config file stored alongside the script. This allows me to test it easily without any changes in DNS or system-wide configuration like /etc/hosts. Yes, it requires more code, but in long-term it is way more debug-able than DNS tricks. Petr^2 Spacek On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek pspa...@redhat.com wrote: On 8.7.2015 15:07, Karl Forner wrote: On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? That would mean you have two different nameservers authoritative for the same DNS domain. That is generally not recommended setup. Yes, that's what I read, but I do not know how to easily do differently. But in the end, what I'd like for my users, is to have foo.example.test resolved from the outside to my external server IP, and from the inside to the internal server IP. Such setup is generally not recommended because it is usually pain when it comes to long-term operation and maintenance. http://www.freeipa.org/page/DNS#Caveats http://www.freeipa.org/page/Deployment_Recommendations#DNS Two main use-cases are: a) Two or more different servers are using the same name and which server is used depends on client's network. This is usually very cumbersome because DNS caching will play against you, especially when we introduce system-wide cache into Fedora 23. It is also hard to manage and debug because you have to ask the same question from different networks etc. And it will be harder when you deploy DNSSEC to increase security... The typical recommendation is to use a sub-domain for internal names, e.g. i.example.com for internal names and example.com for externally-resolvable names. b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. Yes, it is as bad idea as it sounds. Can't you make foo.example.test a CNAME to foo.example.org or another hostname, in domain with different authoritative DNS server? Hmm yes that should work, thanks ! Please keep in mind that it only hides the problem under yet another layer of indirection. humor Yes, it is always possible! We know it because it is written in The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 point (6) but you should take into account point (3) into account, too :-) /humor -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration for not resolving some addresses
On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? That would mean you have two different nameservers authoritative for the same DNS domain. That is generally not recommended setup. Can't you make foo.example.test a CNAME to foo.example.org or another hostname, in domain with different authoritative DNS server? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration for not resolving some addresses
On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? That would mean you have two different nameservers authoritative for the same DNS domain. That is generally not recommended setup. Yes, that's what I read, but I do not know how to easily do differently. But in the end, what I'd like for my users, is to have foo.example.test resolved from the outside to my external server IP, and from the inside to the internal server IP. Can't you make foo.example.test a CNAME to foo.example.org or another hostname, in domain with different authoritative DNS server? Hmm yes that should work, thanks ! -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration for not resolving some addresses
Okay, but DNS doesn't work in that way. Zone example.test. is authoritative, so it must contain the record or delegation or NXDOMAIN is returned. You cannot have multiple authoritative copies of one zone with different data. The best solution would be to have only internal.example.test. zone managed by IPA, and add delegation to this zone into example.test. Ok I understand. But in this setting, how would I implement the lookup so that internally, ipa.example.test would resolve to ipa.internal.example.test (internal IP), and externally to the external IP ? thanks Martin On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti mba...@redhat.com wrote: On 08/07/15 14:26, Karl Forner wrote: Hello, When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? Thanks. Karl Forner Hello, If you plan to forward whole subzone, you can use forward zones in IPA. example.test -- master zone foo.example.test -- forward zones which IPA version o IPA do you have? If IPA 4.0, than you can use ipa dnsforwardzone-add command. Otherwise dnszone-add with --forwarder option Do not forget to add proper NS delegation for all sub zones from parent zone. For example: ipa dnsrecord-add example.test. test --ns-rec=ipa.example.test. -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration for not resolving some addresses
Thanks Petr. My use case is: we have scripts that connect to some services, let's say a docker registry. I want these scripts to be work either internally or externally, without changing the URLs. What would the best or easiest setting to achieve this ? On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek pspa...@redhat.com wrote: On 8.7.2015 15:07, Karl Forner wrote: On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? That would mean you have two different nameservers authoritative for the same DNS domain. That is generally not recommended setup. Yes, that's what I read, but I do not know how to easily do differently. But in the end, what I'd like for my users, is to have foo.example.test resolved from the outside to my external server IP, and from the inside to the internal server IP. Such setup is generally not recommended because it is usually pain when it comes to long-term operation and maintenance. http://www.freeipa.org/page/DNS#Caveats http://www.freeipa.org/page/Deployment_Recommendations#DNS Two main use-cases are: a) Two or more different servers are using the same name and which server is used depends on client's network. This is usually very cumbersome because DNS caching will play against you, especially when we introduce system-wide cache into Fedora 23. It is also hard to manage and debug because you have to ask the same question from different networks etc. And it will be harder when you deploy DNSSEC to increase security... The typical recommendation is to use a sub-domain for internal names, e.g. i.example.com for internal names and example.com for externally-resolvable names. b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. Yes, it is as bad idea as it sounds. Can't you make foo.example.test a CNAME to foo.example.org or another hostname, in domain with different authoritative DNS server? Hmm yes that should work, thanks ! Please keep in mind that it only hides the problem under yet another layer of indirection. humor Yes, it is always possible! We know it because it is written in The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 point (6) but you should take into account point (3) into account, too :-) /humor -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration for not resolving some addresses
On 8.7.2015 16:32, Karl Forner wrote: Thanks Petr. My use case is: we have scripts that connect to some services, let's say a docker registry. I want these scripts to be work either internally or externally, without changing the URLs. What would the best or easiest setting to achieve this ? Personally I use config file for this. I.e. the script is the same and URLs, names, passwords, etc. are read from config file stored alongside the script. This allows me to test it easily without any changes in DNS or system-wide configuration like /etc/hosts. Yes, it requires more code, but in long-term it is way more debug-able than DNS tricks. Petr^2 Spacek On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek pspa...@redhat.com wrote: On 8.7.2015 15:07, Karl Forner wrote: On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? That would mean you have two different nameservers authoritative for the same DNS domain. That is generally not recommended setup. Yes, that's what I read, but I do not know how to easily do differently. But in the end, what I'd like for my users, is to have foo.example.test resolved from the outside to my external server IP, and from the inside to the internal server IP. Such setup is generally not recommended because it is usually pain when it comes to long-term operation and maintenance. http://www.freeipa.org/page/DNS#Caveats http://www.freeipa.org/page/Deployment_Recommendations#DNS Two main use-cases are: a) Two or more different servers are using the same name and which server is used depends on client's network. This is usually very cumbersome because DNS caching will play against you, especially when we introduce system-wide cache into Fedora 23. It is also hard to manage and debug because you have to ask the same question from different networks etc. And it will be harder when you deploy DNSSEC to increase security... The typical recommendation is to use a sub-domain for internal names, e.g. i.example.com for internal names and example.com for externally-resolvable names. b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. Yes, it is as bad idea as it sounds. Can't you make foo.example.test a CNAME to foo.example.org or another hostname, in domain with different authoritative DNS server? Hmm yes that should work, thanks ! Please keep in mind that it only hides the problem under yet another layer of indirection. humor Yes, it is always possible! We know it because it is written in The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 point (6) but you should take into account point (3) into account, too :-) /humor -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration for not resolving some addresses
Thanks Martin, but I do not want to forward the whole subzone. I have the example.test zone from my web hosting site, that manages also the domain example.test I use the example.test domain in freeIPA. So the problem is that in the internal network, I can no longer resolve www.example.test. Of course I can define all such names manually in the freeIPA dns, but ideally (or naively) I'd like a way to configure the freeIPA dns like: if you do not know foo.example.test, instead of returning NXDOMAIN, please forward the request to this other nameserver. On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti mba...@redhat.com wrote: On 08/07/15 14:26, Karl Forner wrote: Hello, When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? Thanks. Karl Forner Hello, If you plan to forward whole subzone, you can use forward zones in IPA. example.test -- master zone foo.example.test -- forward zones which IPA version o IPA do you have? If IPA 4.0, than you can use ipa dnsforwardzone-add command. Otherwise dnszone-add with --forwarder option Do not forget to add proper NS delegation for all sub zones from parent zone. For example: ipa dnsrecord-add example.test. test --ns-rec=ipa.example.test. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration for not resolving some addresses
On 08/07/15 16:14, Karl Forner wrote: Thanks Martin, but I do not want to forward the whole subzone. I have the example.test zone from my web hosting site, that manages also the domain example.test I use the example.test domain in freeIPA. So the problem is that in the internal network, I can no longer resolve www.example.test. Of course I can define all such names manually in the freeIPA dns, but ideally (or naively) I'd like a way to configure the freeIPA dns like: if you do not know foo.example.test, instead of returning NXDOMAIN, please forward the request to this other nameserver. Okay, but DNS doesn't work in that way. Zone example.test. is authoritative, so it must contain the record or delegation or NXDOMAIN is returned. You cannot have multiple authoritative copies of one zone with different data. The best solution would be to have only internal.example.test. zone managed by IPA, and add delegation to this zone into example.test. Martin On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 08/07/15 14:26, Karl Forner wrote: Hello, When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? Thanks. Karl Forner Hello, If you plan to forward whole subzone, you can use forward zones in IPA. example.test -- master zone foo.example.test -- forward zones which IPA version o IPA do you have? If IPA 4.0, than you can use ipa dnsforwardzone-add command. Otherwise dnszone-add with --forwarder option Do not forget to add proper NS delegation for all sub zones from parent zone. For example: ipa dnsrecord-add example.test. test --ns-rec=ipa.example.test. -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration for not resolving some addresses
On 8.7.2015 15:07, Karl Forner wrote: On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? That would mean you have two different nameservers authoritative for the same DNS domain. That is generally not recommended setup. Yes, that's what I read, but I do not know how to easily do differently. But in the end, what I'd like for my users, is to have foo.example.test resolved from the outside to my external server IP, and from the inside to the internal server IP. Such setup is generally not recommended because it is usually pain when it comes to long-term operation and maintenance. http://www.freeipa.org/page/DNS#Caveats http://www.freeipa.org/page/Deployment_Recommendations#DNS Two main use-cases are: a) Two or more different servers are using the same name and which server is used depends on client's network. This is usually very cumbersome because DNS caching will play against you, especially when we introduce system-wide cache into Fedora 23. It is also hard to manage and debug because you have to ask the same question from different networks etc. And it will be harder when you deploy DNSSEC to increase security... The typical recommendation is to use a sub-domain for internal names, e.g. i.example.com for internal names and example.com for externally-resolvable names. b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. Yes, it is as bad idea as it sounds. Can't you make foo.example.test a CNAME to foo.example.org or another hostname, in domain with different authoritative DNS server? Hmm yes that should work, thanks ! Please keep in mind that it only hides the problem under yet another layer of indirection. humor Yes, it is always possible! We know it because it is written in The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 point (6) but you should take into account point (3) into account, too :-) /humor -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration for not resolving some addresses
I forgot my main use case: I have name-based reverse proxies (SNI) for some web apps/services , that are accessible both from the internal and external network. They must be accessed with the exact same name/url, otherwise the dispatch can not work. Until now I manage this by manually editing all /etc/hosts on all internal computers, but I had hoped to benefit from the freeIPA DNS a more elegant solution. On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek pspa...@redhat.com wrote: On 8.7.2015 16:32, Karl Forner wrote: Thanks Petr. My use case is: we have scripts that connect to some services, let's say a docker registry. I want these scripts to be work either internally or externally, without changing the URLs. What would the best or easiest setting to achieve this ? Personally I use config file for this. I.e. the script is the same and URLs, names, passwords, etc. are read from config file stored alongside the script. This allows me to test it easily without any changes in DNS or system-wide configuration like /etc/hosts. Yes, it requires more code, but in long-term it is way more debug-able than DNS tricks. Petr^2 Spacek On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek pspa...@redhat.com wrote: On 8.7.2015 15:07, Karl Forner wrote: On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? That would mean you have two different nameservers authoritative for the same DNS domain. That is generally not recommended setup. Yes, that's what I read, but I do not know how to easily do differently. But in the end, what I'd like for my users, is to have foo.example.test resolved from the outside to my external server IP, and from the inside to the internal server IP. Such setup is generally not recommended because it is usually pain when it comes to long-term operation and maintenance. http://www.freeipa.org/page/DNS#Caveats http://www.freeipa.org/page/Deployment_Recommendations#DNS Two main use-cases are: a) Two or more different servers are using the same name and which server is used depends on client's network. This is usually very cumbersome because DNS caching will play against you, especially when we introduce system-wide cache into Fedora 23. It is also hard to manage and debug because you have to ask the same question from different networks etc. And it will be harder when you deploy DNSSEC to increase security... The typical recommendation is to use a sub-domain for internal names, e.g. i.example.com for internal names and example.com for externally-resolvable names. b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks. Yes, it is as bad idea as it sounds. Can't you make foo.example.test a CNAME to foo.example.org or another hostname, in domain with different authoritative DNS server? Hmm yes that should work, thanks ! Please keep in mind that it only hides the problem under yet another layer of indirection. humor Yes, it is always possible! We know it because it is written in The Twelve Networking Truths: https://tools.ietf.org/html/rfc1925#page-2 point (6) but you should take into account point (3) into account, too :-) /humor -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project