[Pdns-users] pdns << free-ipa with external dns

stancs3 scruise56 at gmail.com
Thu Feb 23 19:38:47 UTC 2017 

Thanks for sticking with me on this.

> In your FreeIPA server, /etc/resolv.conf must point to a *recursive*
> server. 

I have this set up with pdns-recusor. Pdns-recursor then forwards to
the pdns auth server.
With this setup I can dig forward and reverse and get the prescribed
results for freeipa, but it's probably an illusion.
It's a fair comment to take it one step at a time, and I thought I had
made it past some :).
So if possible can you suggest the pieces of info I can supply to
confirm my progress.
Just for fun:
On the path I am now (which admittedly is ahead of myself) I can see
ipa-client install logs that are indicating that I do need to create a
subdomain zone by itself on the auth server; the installer does a dig
SOA test and it does not get the right domain back because I did not
separate the records into a new zone - I think ....
I did also create an 1.168.192.in-addr.arpa forward on the recursor,
and it forced me to use 1.168.192 probably because I am using
essentially random ip addresses. But, here for sure I am ahead of
myself. This forward however allowed me to successfully do dig -x on
various servers, like google, my own auth server etc.
OK, now I am stepping back .....  :) .....
On Thu, 2017-02-23 at 08:58 +0000, Brian Candler wrote:
> 
>     > On 23/02/2017 03:25, stancs3 wrote:
> 
>     
> 
>     > > 
> >       > > I am setting up free-ipa with an > > *> > external> > * dns server,
> >  dns server,
> > ns1.example.com.
> > 
> >     
> 
>     > You need to step back a bit.
> 
>     > There are two types of DNS server: authoritative and recursive.
> 
>     > In your FreeIPA server, /etc/resolv.conf must point to a
>       *recursive* server. But where you store records like
>       "ipa1.ipa.example.com" is an *authoritative* server.
> 
>     
> 
>     > Sometimes people combine both functions into the same server
>       (bind does this by default).  But it's better to separate them. 
>       PowerDNS *forces* you to separate them, since there are separate
>       pdns-auth and pdns-recursor packages.
> 
>     > So your first question should be: where is the DNS recursor which
>       the FreeIPA server will resolve against?
> 
>     > If you have an existing on-site recursor, it's fine to use that.
>       For most domains, it will find the authoritative nameservers it
>       needs to talk to by following delegations (NS records).
> 
>     > But for 168.192.in-addr.arpa it is impossible to delegate
>       properly, so you will need to configure your recursive server to
>       *forward* queries for 168.192.in-addr.arpa to the local
>       authoritative nameserver.
> 
>     > Once you've decided whether you're going to build two new
>       nameservers (one authoritative and one recursive), or you're going
>       to going to build an authoritative server and re-use your existing
>       recursive server but tweak its configuration, we can move on from
>       there.
> 
>     > Regards,
> 
>     > Brian.
> 
>     
> 
>   
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170223/424e1370/attachment.html>

More information about the Pdns-users mailing list