[Freeipa-users] Re: Multi location DNS configuration

[Alexander Bokovoy via FreeIPA-users]

On Срд, 14 мая 2025, Gareth Blades wrote:

Thanks that makes it much clearer.

Our xyz.net domain makes use of dynamically generated content so I
won't be able to use that. However I can use a subdomain such as
ipa.xyz.net in which case the realm would be IPA.XYZ.NET.

Correct.

I could either setup ipa.xyz.net with dns views in each location or I
could delegate this domain to the local ipa servers in that location.
Any particular reason why I should do it a particular way?

If you delegate it to IPA DNS, then you'd be using native IPA locations
feature.

I would lean to doing the DNS side of things all on our own DNS servers
as it is something I am comfortable doing.  Letting the ipa servers
handle the dns might be a little more tricky with being unfamiliar on
how to manage dns there. It's probably easy for someone new to dns but
for me probably the more difficult of the two options.

It is really up to you. What we found is that many users find using IPA
DNS management via IPA web UI is handy, so they keep using IPA DNS for
that reason. Also, DNS updates with GSS-TSIG are setup automatically.

Thanks for your help. Much appreciated.


Gareth Blades
System Administrator
w: eseye.com
LinkedIn | Twitter |
YouTube |
Blog
This email is from Eseye
, Guildford, Surrey, United Kingdom. Registered in England and Wales - number 
06397669. VAT: GB921298326. ISO 27001: 2013 Certified.
Eseye accepts no liability for the content of this email, or for the 
consequences of any actions taken on the basis of the information provided 
unless that information is subsequently confirmed in writing. ​Any views or 
opinions presented in this email are solely those of the author and do not 
necessarily represent those of the company. If you are not the intended 
recipient, please notify the sender and delete this email and any attachments.
​
​Eseye, Infinity IoT Platform, AnyNet, AnyNet Secure and Eseye Logos are 
registered trademarks. ​© 2025 Eseye Limited. All rights reserved.
-----Original Message-----
From: Alexander Bokovoy <aboko...@redhat.com>
Sent: 14 May 2025 08:08
To: Gareth Blades <gbla...@eseye.com>
Cc: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Subject: Re: [Freeipa-users] Multi location DNS configuration

[You don't often get email from aboko...@redhat.com. Learn why this is 
important at https://aka.ms/LearnAboutSenderIdentification ]

On Аўт, 13 мая 2025, Gareth Blades wrote:

Yes the realm is XYZ.NET

I thought Kerberos realms should always be specified in uppercase?

Kerberos realms are case-sensitive. DNS domain names aren't. Anyway, my point 
was that FreeIPA relies on the fact that you own primary DNS domain equal to 
your Kerberos realm and that DNS domain contains DNS records specific to IPA 
realm.

If I setup something like thos as suggested :-
   _kerberos.redstation.xyz. 86400 IN TXT "XYZ.NET"
Then how would this result in different servers being returned for
machines in 'redstation' as opposed to every other location?  Wouldn't
Kerberos lookup the realm XYZ.NET and find some generic list of servers
and not those just in the location it is in?

you would need to make sure xyz.net DNS domain information is specific to your 
client location.
https://www.freeipa.org/page/Howto/IPA_locations#example-with-non-freeipa-dns-servers
shows how to do that with Infoblox, for example.

It is pretty much by making sure that:

- each location has the primary DNS domain view
- each DNS domain view has both _udp and _tcp subdomains
- each SRV record defined for that location is defined in those domains

E.g. if redstation location has IPA server named 'ipa-redstation', `ipa 
dns-update-system-records --dry-run` would produce you IPA location records 
like this:

    _kerberos-master._tcp.redstation._locations.xyz.net. 3600 IN SRV 0 100 88 
ipa-redstation.xyz.net.
    _kerberos-master._udp.redstation._locations.xyz.net. 3600 IN SRV 0 100 88 
ipa-redstation.xyz.net.
    _kerberos._tcp.redstation._locations.xyz.net. 3600 IN SRV 0 100 88 
ipa-redstation.xyz.net.
    _kerberos._udp.redstation._locations.xyz.net. 3600 IN SRV 0 100 88 
ipa-redstation.xyz.net.
    _kerberos.redstation._locations.xyz.net. 3600 IN TXT "XYZ.NET"
    _kerberos.redstation._locations.xyz.net. 3600 IN URI 0 100 
"krb5srv:m:tcp:ipa-redstation.xyz.net."
    _kerberos.redstation._locations.xyz.net. 3600 IN URI 0 100 
"krb5srv:m:udp:ipa-redstation.xyz.net."
    _kpasswd._tcp.redstation._locations.xyz.net. 3600 IN SRV 0 100 464 
ipa-redstation.xyz.net.
    _kpasswd._udp.redstation._locations.xyz.net. 3600 IN SRV 0 100 464 
ipa-redstation.xyz.net.
    _kpasswd.redstation._locations.xyz.net. 3600 IN URI 0 100 
"krb5srv:m:tcp:ipa-redstation.xyz.net."
    _kpasswd.redstation._locations.xyz.net. 3600 IN URI 0 100 
"krb5srv:m:udp:ipa-redstation.xyz.net."
    _ldap._tcp.redstation._locations.xyz.net. 3600 IN SRV 0 100 389 
ipa-redstation.xyz.net.

Then DNS view of xyz.net domain for redstation location will need to contain 
records:

    _kerberos-master._tcp.xyz.net. 3600 IN SRV 0 100 88 ipa-redstation.xyz.net.
    _kerberos-master._udp.xyz.net. 3600 IN SRV 0 100 88 ipa-redstation.xyz.net.
    _kerberos._tcp.xyz.net. 3600 IN SRV 0 100 88 ipa-redstation.xyz.net.
    _kerberos._udp.xyz.net. 3600 IN SRV 0 100 88 ipa-redstation.xyz.net.
    _kerberos.xyz.net. 3600 IN TXT "XYZ.NET"
    _kerberos.xyz.net. 3600 IN URI 0 100 "krb5srv:m:tcp:ipa-redstation.xyz.net."
    _kerberos.xyz.net. 3600 IN URI 0 100 "krb5srv:m:udp:ipa-redstation.xyz.net."
    _kpasswd._tcp.xyz.net. 3600 IN SRV 0 100 464 ipa-redstation.xyz.net.
    _kpasswd._udp.xyz.net. 3600 IN SRV 0 100 464 ipa-redstation.xyz.net.
    _kpasswd.xyz.net. 3600 IN URI 0 100 "krb5srv:m:tcp:ipa-redstation.xyz.net."
    _kpasswd.xyz.net. 3600 IN URI 0 100 "krb5srv:m:udp:ipa-redstation.xyz.net."
    _ldap._tcp.xyz.net. 3600 IN SRV 0 100 389 ipa-redstation.xyz.net.

E.g. s/\.redstation\._locations//g then resulting zone data is what you need to 
have in the DNS view for redstation location.

This assumes your IPA server ipa-redstation is present in the xyz.net DNS 
domain (so A/AAAA records are there as well). If they defined in the 
subdomains, don't forget to make sure xyz.net DNS view for that particular 
location also includes A/AAAA/NS records to the correct servers and subdomains 
so that clients can find it.

The integrated DNS server in IPA has no support for DNS views so it uses 
automatic generation of the CNAME records using per-server location information 
and templates stored in IPA LDAP.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue