Updating_FreeIPA_system_DNS_records_on_a_remote_DNS_server#
Short feature description#
FreeIPA with integrated DNS updates dynamically its own DNS records
after changes in topology. This can be also executed manually by calling
command ipa dns-update-system-records
.
However this is not so simple with external DNS services. For this case
the option --dry-run
can provide list of required DNS records and
option --out FILE
can export data in nsupdate util format. This
can be used directly with nsupdate
util.
Supported in versions#
4.4+
dns-update-system-records
command4.5+
dns-update-system-records
with--out
option
Examples#
Show list of required records#
This can be handy in a case you have hosted external DNS and management is done via GUI to see records that have to be updated manually.
The list of records can look for example like this:
[user@ipa ~]$ ipa dns-update-system-records --dry-run
IPA DNS records:
_kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
_kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
_kerberos._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
_kerberos._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
_kerberos.example.com. 86400 IN TXT "EXAMPLE.COM"
_kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 ipa.example.com.
_kpasswd._udp.example.com. 86400 IN SRV 0 100 464 ipa.example.com.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 ipa.example.com.
_ntp._udp.example.com. 86400 IN SRV 0 100 123 ipa.example.com.
ipa-ca.example.com. 86400 IN A 192.0.2.36
ipa-ca.example.com. 86400 IN AAAA 2001:db8:0:224e:21a:4aff:fe23:1523
Generating a file with FreeIPA DNS data for nsupdate utility#
Option --out FILE
will store DNS data in nsupdate format in file
FILE.
[user@ipa ~]$ ipa dns-update-system-records --dry-run --out ipa-records.nsupdate
IPA DNS records:
...
[user@ipa ~]$ cat ipa-records.nsupdate
; IPA DNS records
update delete _kerberos-master._tcp.example.com. SRV
update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
update delete _kerberos-master._udp.example.com. SRV
update add _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
.....
update delete ipa-ca.example.com. AAAA
update add ipa-ca.example.com. 86400 IN AAAA 2001:db8::0:224e:21a:4aff:fe23:1523
send
Notes about exported nsupdate file#
By default records exported by dns-update-system-records
relies on
auto-detection of the zone where records should be updated and the
authoritative server of that zone. In majority cases this should just
work. However in non-standard DNS setup or missing zone delegations,
nsupdate may not be able to find the right zone and server. For these
cases the exported file must be amended by following options (at the
beginning of the file):
serverservername[port]
whereservername is an authoritative DNS server where records should be sent
zonezonename
where zonename is zone where FreeIPArecords should be placed
Example:
[user@ipa ~]$ cat ipa-records.nsupdate
zone example.com.
server 192.0.2.222
; IPA DNS records
update delete _kerberos-master._tcp.example.com. SRV
update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
...
For more details please see man nsupdate.
Using nsupdate with TSIG#
TSIG mechanism allows to use nsupdate utility with securely by using a shared key. The DNS server must be configured and both server and client must have the particular shared key to allow updates.
Server configuration examples:
Run nsupdate with the -k keyfile
option:
[user@ipa ~]$ nsupdate -k tsig-key.keyfile ipa-records.nsupdate
or with -y algorithm:keyname:secret
option:
[user@ipa ~]$ nsupdate -y algorithm:keyname:secret ipa-records.nsupdate
More details about nsupdate with TSIG and how to generate keyfiles can be found here
Using nsupdate with GSS-TSIG#
GSS-TSIG mechanism uses GSS-API for getting secret TSIG key. Details about GSS-API is out of scope of this document, for simplification we will assume Kerberos V5 as used technology for GSS-API (“kerberized” DNS servers are usually the most used).
Examples of server configuration:
Run nsupdate with option -g
[user@ipa ~]$ kinit principal-allowed-to-update-records@REALM
[user@ipa ~]$ nsupdate -g ipa-records.nsupdate
Using nsupdate without authentication#
Using nsupdate without authentication is discouraged. However if you really need this, then set up DNS server to allow dynamic updates from the particular IP address/IP range.
Server configuration examples:
Run nsupdate without options:
[user@ipa ~]$ nsupdate ipa-records.nsupdate