We are reconfiguring our DNS to move away from a much older version of Bind on some RHEL 5 servers to Bind 9+ on RHEL 7.4. Currently our setup has two external slaves that do zone transfers from the internal masters allowing public facing servers to be known on the internet. Our new setup will have two RHEL 7.4 servers running Bind 9+ acting as the external slaves, but they will need to transfer zones from our IPA servers that are acting as the internal DNS masters.
I have searched the internet for some guidance on how to configure this, or for an example of what the new config will look like. IPA uses Bind, but it keeps the zones in a completely different set of directories and they are structured very different from a normal DNS server.
Has anyone set this up before and if so, do you have a sample config that I could look at to gain a better understanding of what is needed here?
Randy
Randy Morgan via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
[BIND as slave on IPA DNS masters]
Has anyone set this up before and if so, do you have a sample config that I could look at to gain a better understanding of what is needed here?
I'm running a pair of IPA servers with a single DNS slave. There's one catch: you must select one IPA master where you get your zone from. Each IPA master has it's own SOA record in the zone - otherwise you would get errors due to lower SOA...
On the IPA side you must allow transfer for each needed zone: ipa dnszone-mod <dnszone> --allow-transfer=<ip-of-slave>
The secondary is just a regular slave:
,---- | masters ipa { 192.168.x.y; }; | | zone "example.org." IN { | type slave; | file "slave/example.org"; | masters { ipa; }; | }; `----
Jochen
Jochen Hein via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Randy Morgan via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
[BIND as slave on IPA DNS masters]
Has anyone set this up before and if so, do you have a sample config that I could look at to gain a better understanding of what is needed here?
I'm running a pair of IPA servers with a single DNS slave. There's one catch: you must select one IPA master where you get your zone from. Each IPA master has it's own SOA record in the zone - otherwise you would get errors due to lower SOA...
You'll miss another thing as well: you clients using the BIND slave can't update their DNS records dynamically. You could probably run bind-dyndb-ldap on your slave and replicate with LDAP or access IPA's LDAP. But then it seems easier to just run a replica...
Jochen
freeipa-users@lists.fedorahosted.org