<html><head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body><div>Thanks for sticking with me on this.</div><div><br></div><div><br><blockquote type="cite"><p>In your FreeIPA server, /etc/resolv.conf must point to a *recursive* server. </p></blockquote><br>I have this set up with pdns-recusor. Pdns-recursor then forwards to the pdns auth server.</div><div><br></div><div>With this setup I can dig forward and reverse and get the prescribed results for freeipa, but it's probably an illusion.</div><div><br></div><div>It's a fair comment to take it one step at a time, and I thought I had made it past some :).</div><div><br></div><div>So if possible can you suggest the pieces of info I can supply to confirm my progress.</div><div><br></div><div><br></div><div>Just for fun:</div><div><br></div><div>On the path I am now (which admittedly is ahead of myself) I can see ipa-client install logs that are indicating that I do need to create a subdomain zone by itself on the auth server; the installer does a dig SOA test and it does not get the right domain back because I did not separate the records into a new zone - I think ....</div><div><br></div><div>I did also create an 1.168.192.in-addr.arpa forward on the recursor, and it forced me to use 1.168.192 probably because I am using essentially random ip addresses. But, here for sure I am ahead of myself. This forward however allowed me to successfully do dig -x on various servers, like google, my own auth server etc.</div><div><br></div><div>OK, now I am stepping back ..... :) .....</div><div><br></div><div><br></div><div><br></div><div>On Thu, 2017-02-23 at 08:58 +0000, Brian Candler wrote:</div><blockquote type="cite">
<div class="moz-cite-prefix">On 23/02/2017 03:25, stancs3 wrote:<br>
</div>
<blockquote cite="mid:1487820358.3646.326.camel@gmail.com" type="cite">
<pre wrap="">I am setting up free-ipa with an <b class="moz-txt-star"><span class="moz-txt-tag">*</span>external<span class="moz-txt-tag">*</span></b> dns server,
ns1.example.com.</pre>
</blockquote>
<p>You need to step back a bit.</p>
<p>There are two types of DNS server: authoritative and recursive.</p>
<p>In your FreeIPA server, /etc/resolv.conf must point to a
*recursive* server. But where you store records like
"ipa1.ipa.example.com" is an *authoritative* server.<br>
</p>
<p>Sometimes people combine both functions into the same server
(bind does this by default). But it's better to separate them.
PowerDNS *forces* you to separate them, since there are separate
pdns-auth and pdns-recursor packages.</p>
<p>So your first question should be: where is the DNS recursor which
the FreeIPA server will resolve against?</p>
<p>If you have an existing on-site recursor, it's fine to use that.
For most domains, it will find the authoritative nameservers it
needs to talk to by following delegations (NS records).</p>
<p>But for 168.192.in-addr.arpa it is impossible to delegate
properly, so you will need to configure your recursive server to
*forward* queries for 168.192.in-addr.arpa to the local
authoritative nameserver.</p>
<p>Once you've decided whether you're going to build two new
nameservers (one authoritative and one recursive), or you're going
to going to build an authoritative server and re-use your existing
recursive server but tweak its configuration, we can move on from
there.</p>
<p>Regards,</p>
<p>Brian.<br>
</p>
</blockquote></body></html>