3.5. Example: Configuring DNS Services within the IdM Domain

IdM can be configured to manage its own DNS or use an existing DNS (which is the default). Running the setup script alone does not configure DNS; this requires the --setup-dns option.

WARNING

DNS records are vital for nearly all IdM domain functions, including running LDAP directory services, Kerberos, and Active Directory integration.
Be extremely cautious and ensure that you have a tested and functional DNS service available if the IdM domain will not use an IdM-hosted DNS server. It is critical that you have properly configured A and PTR records.
As with a basic setup, the DNS setup can either prompt for the required information or the DNS information can be passed with the script to allow an automatic or unattended setup process.

3.5.1. DNS Notes

  • Wildcards cannot be used when configuring DNS names. Only explicit DNS domain names are supported.
  • The rndc service is not configured by the --setup-dns option. This service must be configured manually after the IdM server is configured.

3.5.2. Installing with an Integrated DNS

Example 3.4. Interactive DNS Setup

  1. Run the ipa-server-install script, using the --setup-dns option.
    [root@server ~]# ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --setup-dns
  2. The script configures the hostname and domain name as normal.
  3. The script then prompts for DNS forwarders. If forwarders will be used, enter yes, and then supply the list of DNS servers. If IdM will manage its own DNS service, then enter no.
    Do you want to configure DNS forwarders? [yes]: no
    No DNS forwarders configured
  4. The script sets up the NTP, Directory Server, Certificate System, Kerberos, and Apache services.
  5. Before completing the configuration, the script prompts to ask whether it should configure reverse DNS services. If you select yes, then it configures the named service.
    Do you want to configure the reverse zone? [yes]: yes
    Configuring DNS (named) 
    [1/11]: adding DNS container 
    [2/11]: setting up our zone 
    [3/11]: setting up reverse zone 
    [4/11]: setting up our own record 
    [5/11]: setting up records for other masters 
    [6/11]: setting up CA record 
    [7/11]: setting up kerberos principal 
    [8/11]: setting up named.conf 
    [9/11]: restarting named 
    [10/11]: configuring named to start on boot 
    [11/11]: changing resolv.conf to point to ourselves 
    Done configuring DNS (named). 
    ==============================================================================
    Setup complete
  6. The ipa-dns-install command (which is run with the install script when the --setup-dns option is used) does not automatically configure the system's rndc service. This must be configured manually, after DNS is configured for IdM.
    1. Create the rndc configuration file and key.
      [root@server ~]# /usr/sbin/rndc-confgen -a
      [root@server ~]# /sbin/restorecon /etc/rndc.key
      This may require some user input to create entropy while the key is being created.
    2. Change the owner and permissions of the rndc key file.
      [root@server ~]# chown root:named /etc/rndc.key
      [root@server ~]# chmod 0640 /etc/rndc.key
  7. Verify that everything is working as expected, as in Section 3.3.1, “Basic Interactive Installation”.
If DNS is used with IdM, then two pieces of information are required: any DNS forwarders that will be used and whether to use reverse DNS. To perform a non-interactive setup, this information can be passed using the --forwarder or --no-forwarders option and --no-reverse option.

Example 3.5. Setting up DNS Non-Interactively

To set up a DNS server and domain for the IdM server, use the --setup-dns option. To configure additional forwarders, use the --forwarder option; for multiple forwarders, use multiple invocations of --forwarder.
[root@server ~]# ipa-server-install ... --setup-dns --forwarder=1.2.3.0 --forwarder=1.2.255.0
Some kind of forwarder information is required. If no external forwarders will be used with the IdM DNS service, then use the --no-forwarders option to indicate that only root servers will be used.
The script always assumes that reverse DNS is configured along with DNS, so it is not necessary to use any options to enable reverse DNS. To disable reverse DNS, use the --no-reverse option; if a reverse DNS zone is already configured, then using the --no-reverse option means that existing reverse DNS zone is used.
[root@server ~]# ipa-server-install ... --setup-dns --no-reverse
The ipa-dns-install command (which is run with the install script when the --setup-dns option is used) does not automatically configure the system's rndc service. This must be configured manually, after DNS is configured for IdM.
  1. Create the rndc configuration file and key.
    [root@server ~]# /usr/sbin/rndc-confgen -a
    [root@server ~]# /sbin/restorecon /etc/rndc.key
    This may require some user input to create entropy while the key is being created.
  2. Change the owner and permissions of the rndc key file.
    [root@server ~]# chown root:named /etc/rndc.key
    [root@server ~]# chmod 0640 /etc/rndc.key