[Pdns-users] pdns << free-ipa with external dns
scruise56 at gmail.com
Thu Feb 23 19:38:47 UTC 2017
Thanks for sticking with me on this.
> In your FreeIPA server, /etc/resolv.conf must point to a *recursive*
I have this set up with pdns-recusor. Pdns-recursor then forwards to
the pdns auth server.
With this setup I can dig forward and reverse and get the prescribed
results for freeipa, but it's probably an illusion.
It's a fair comment to take it one step at a time, and I thought I had
made it past some :).
So if possible can you suggest the pieces of info I can supply to
confirm my progress.
Just for fun:
On the path I am now (which admittedly is ahead of myself) I can see
ipa-client install logs that are indicating that I do need to create a
subdomain zone by itself on the auth server; the installer does a dig
SOA test and it does not get the right domain back because I did not
separate the records into a new zone - I think ....
I did also create an 1.168.192.in-addr.arpa forward on the recursor,
and it forced me to use 1.168.192 probably because I am using
essentially random ip addresses. But, here for sure I am ahead of
myself. This forward however allowed me to successfully do dig -x on
various servers, like google, my own auth server etc.
OK, now I am stepping back ..... :) .....
On Thu, 2017-02-23 at 08:58 +0000, Brian Candler wrote:
> > On 23/02/2017 03:25, stancs3 wrote:
> > >
> > > > I am setting up free-ipa with an > > *> > external> > * dns server,
> > dns server,
> > ns1.example.com.
> > You need to step back a bit.
> > There are two types of DNS server: authoritative and recursive.
> > In your FreeIPA server, /etc/resolv.conf must point to a
> *recursive* server. But where you store records like
> "ipa1.ipa.example.com" is an *authoritative* server.
> > Sometimes people combine both functions into the same server
> (bind does this by default). But it's better to separate them.
> PowerDNS *forces* you to separate them, since there are separate
> pdns-auth and pdns-recursor packages.
> > So your first question should be: where is the DNS recursor which
> the FreeIPA server will resolve against?
> > If you have an existing on-site recursor, it's fine to use that.
> For most domains, it will find the authoritative nameservers it
> needs to talk to by following delegations (NS records).
> > But for 168.192.in-addr.arpa it is impossible to delegate
> properly, so you will need to configure your recursive server to
> *forward* queries for 168.192.in-addr.arpa to the local
> authoritative nameserver.
> > Once you've decided whether you're going to build two new
> nameservers (one authoritative and one recursive), or you're going
> to going to build an authoritative server and re-use your existing
> recursive server but tweak its configuration, we can move on from
> > Regards,
> > Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users