[Pdns-users] pdns << free-ipa with external dns

Brian Candler b.candler at pobox.com
Thu Feb 23 20:12:39 UTC 2017

On 23/02/2017 19:38, stancs3 wrote:
>> In your FreeIPA server, /etc/resolv.conf must point to a *recursive* 
>> server.
> I have this set up with pdns-recusor. Pdns-recursor then forwards to 
> the pdns auth server.
OK, that's fine. I have FreeIPA set up like that too.

There are a few magic records you ought to put into your "IPA domain" to 
allow discovery of the servers for that realm.

Your actual hosts don't need to be in the same realm. So for example 
your IPA servers could be foo.int.example.com and bar.int.example.com, 
but the IPA domain could be ipa.example.com (corresponding to 
IPA.EXAMPLE.COM as the Kerberos realm)

You can declare that hosts under *.int.example.com and *.ipa.example.com 
belong to the same realm like this:

_kerberos.int.example.com. TXT "IPA.EXAMPLE.COM"
_kerberos.ipa.example.com. TXT "IPA.EXAMPLE.COM"

> With this setup I can dig forward and reverse and get the prescribed 
> results for freeipa, but it's probably an illusion.
No, it sounds reasonable enough to me.

> On the path I am now (which admittedly is ahead of myself) I can see 
> ipa-client install logs that are indicating that I do need to create a 
> subdomain zone by itself on the auth server; the installer does a dig 
> SOA test and it does not get the right domain back because I did not 
> separate the records into a new zone - I think ....

You don't need to create a subdomain. But I think we've veered off pdns 
and into FreeIPA territory.  There's a separate FreeIPA list you can join.

> I did also create an 1.168.192.in-addr.arpa forward on the recursor, 
> and it forced me to use 1.168.192 probably because I am using 
> essentially random ip addresses.
I have no idea what you mean by that. Create 1.168.192.in-addr.arpa as 
an authoritative zone, and forward it.

# recursor.conf

# forward-zones
1.168.192.in-addr.arpa=x.x.x.x,y.y.y.y   # IP address(es) of 
authoritative server(s)

This is assuming you built your network using 192.168.1.x IP addresses.  
But nobody forced you to do that :-)



More information about the Pdns-users mailing list