Greetings all, I'm running the following FreeIPA:
Installed Packages freeipa-client.x86_64 4.9.10-4.fc36 @updates freeipa-client-common.noarch 4.9.10-4.fc36 @updates freeipa-common.noarch 4.9.10-4.fc36 @updates freeipa-healthcheck.noarch 0.11-2.fc36 @updates freeipa-healthcheck-core.noarch 0.11-2.fc36 @updates freeipa-selinux.noarch 4.9.10-4.fc36 @updates freeipa-server.x86_64 4.9.10-4.fc36 @updates freeipa-server-common.noarch 4.9.10-4.fc36 @updates freeipa-server-dns.noarch 4.9.10-4.fc36 @updates libipa_hbac.x86_64 2.7.4-1.fc36 @updates python3-ipaclient.noarch 4.9.10-4.fc36 @updates python3-ipalib.noarch 4.9.10-4.fc36 @updates python3-ipaserver.noarch 4.9.10-4.fc36 @updates python3-libipa_hbac.x86_64 2.7.4-1.fc36 @updates sssd-ipa.x86_64 2.7.4-1.fc36 @updates On the following Fedora revision: 5.19.12-200.fc36.x86_64My other internal DNS server is9.16.33-1.fc36 running on the same OS revision. Both my FreeIPA subdomain and the subdomain served by the other Bind 9 instance are serving subdomains of my issued domain name but are hidden. My public DNS (also Bind9, but on Debian) is in my DMZ and accessible via local LAN links to the all FreeIPA clients. My publicly accessible hosts are not FreeIPA clients and don't lookup internal PTR records or need any integration with FreeIPA. If something really requires the DS records for the subdomains to be available, I could create a view on the public server that serves that data, including the subdomain authority delegation. I'd rather not take this step unless it's really a necessity.
I don't have any FreeIPA secondary servers at present since I can't see a point in having 2 copies of the same server running as VMs on the same host machine. As I lack another machine with sufficient power to run FreeIPA server, I just backup regularly. Therefore, the packages that manage a fleet of servers are unnecessary overhead, since I have just 1.
ipa dnszone-show returns the following as the first line of output, followed by the other settings looking as expected:
ipa: WARNING: No DNSSEC key master is installed. DNSSEC zone signing will not work until the DNSSEC key master is installed.
I have created ZSK and KSK keys for the ipa subdomain. I'm wondering if there's an easier way to import them than manually creating the DNSKEY 256 and 257 records. I've searched, fruitlessly, for the information in the doc and can only find passing references to DNSSEC, with no key import instructions.
I do still need to create and sign the IPv4 class B levels of the in-addr.arpa addresses to provide the DS records for the PTR validation on my FreeIPA master. That, however, is secondary to getting my keys into FreeIPA in the first place. I suppose I could have my other private server inline sign them and do all lookups there, rather than on the FreeIPA DNS instance, but I'd rather not alter the default FreeIPA client setup if I don't have to.
Thanks in advance, Eric
publickey -
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
