Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

33.10. Updating DNS Records Systematically When Using External DNS

When using external DNS, Identity Management does not update the DNS records automatically after a change in the topology. The following procedures explain how you can update the DNS records managed by an external DNS service systematically, which reduces the need for manual DNS updates.
For procedures and examples, see:

33.10.1. Updating External DNS in Identity Management

Updating DNS records removes old or invalid DNS records and adds new records.
You must update DNS records after a change in your topology, for example:
  • After installing or uninstalling a replica
  • After installing a CA, DNS, KRA, or Active Directory trust on an Identity Management server

33.10.2. GUI: Updating External DNS Records

  1. Display the records that you must update. Use the ipa dns-update-system-records --dry-run command.
    $ ipa dns-update-system-records --dry-run
     IPA DNS records:
       _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
       _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
    [... output truncated ...]
  2. Use the external DNS GUI to update the records.

33.10.3. Command Line: Updating External DNS Records Using nsupdate

Generating a File with the DNS Records for nsupdate

  1. Use the ipa dns-update-system-records --dry-run command with the --out option. The option specifies the path of the file to generate:
    $ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
     IPA DNS records:
       _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
       _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
    [... output truncated ...]
    The generated file contains the required DNS records in the format accepted by the nsupdate utility.
  2. The generated records rely on:
    • Automatic detection of the zone in which the records are to be updated
    • Automatic detection of the zone's authoritative server
    If you are using an atypical DNS setup or if zone delegations are missing, nsupdate might not be able to find the right zone and server. In this case, add the following options to the beginning of the generated file:
    • server specifies the server name or port of the authoritative DNS server to which nsupdate sends the records
    • zone specifies the zone name of the zone where nsupdate places the records
    Example:
    $ cat dns_records_file.nsupdate
    zone example.com.
    server 192.0.2.1
    ; IPA DNS records
    update delete _kerberos-master._tcp.example.com. SRV
    update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
    [... output truncated ...]

Submitting the Dynamic DNS Update Request to the Name Server

When sending a request using nsupdate, make sure you properly secure it. You can secure the request using these mechanisms:
Transaction Signature (TSIG) protocol
TSIG enables you to use nsupdate with a shared key. See Procedure 33.1, “Sending an nsupdate Request Secured Using TSIG”.
GSS algorithm for TSIG (GSS-TSIG)
GSS-TSIG uses the GSS-API interface to obtain the secret TSIG key. GSS-TSIG is an extension to the TSIG protocol. See Procedure 33.2, “Sending an nsupdate Request Secured Using GSS-TSIG”

Procedure 33.1. Sending an nsupdate Request Secured Using TSIG

  1. Make sure you meet these prerequisites:
    • Your DNS server must be configured for TSIG. See these server configuration examples: BIND, PowerDNS
    • Both the DNS server and its client must have the shared key.
  2. Run nsupdate, and provide the shared secret using one of these options:
    • -k to provide the TSIG authentication key:
      $ nsupdate -k tsig_key.file dns_records_file.nsupdate
    • -y to generate a signature from the name of the key and from the Base64-encoded shared secret:
      $ nsupdate -y algorithm:keyname:secret dns_records_file.nsupdate

Procedure 33.2. Sending an nsupdate Request Secured Using GSS-TSIG

  1. Make sure you meet these prerequisites:
    • Your DNS server must be configured for GSS-TSIG. See these server configuration examples: BIND, PowerDNS, Windows DNS.

    Note

    This procedure assumes that Kerberos V5 protocol is used as the technology for GSS-API.
  2. To submit the DNS update request, authenticate with a principal allowed to update the records, and run nsupdate with the -g option to enable the GSS-TSIG mode:
    $ kinit principal_allowed_to_update_records@REALM
    $ nsupdate -g dns_records_file.nsupdate

Additional Resources

  • the nsupdate(8) man page
  • RFC 2845 describes the TSIG protocol
  • RFC 3645 describes the GSS-TSIG algorithm