Show Table of Contents
33.10.3. Command Line: Updating External DNS Records Using
Generating a File with the DNS Records for
33.10. Updating DNS Records Systematically When Using External DNS
When using external DNS, Identity Management does not update the DNS records automatically after a change in the topology. The following procedures explain how you can update the DNS records managed by an external DNS service systematically, which reduces the need for manual DNS updates.
For a basic overview, see Section 33.10.1, “Updating External DNS in Identity Management”.
For procedures and examples, see:
- Section 33.10.2, “GUI: Updating External DNS Records” if you use a GUI to manage the external DNS records
- Section 33.10.3, “Command Line: Updating External DNS Records Using
nsupdate” if you use thensupdateutility to manage the external DNS records
33.10.1. Updating External DNS in Identity Management
Updating DNS records removes old or invalid DNS records and adds new records.
You must update DNS records after a change in your topology, for example:
- After installing or uninstalling a replica
- After installing a CA, DNS, KRA, or Active Directory trust on an Identity Management server
33.10.2. GUI: Updating External DNS Records
- Display the records that you must update. Use the
ipa dns-update-system-records --dry-runcommand.$
ipa dns-update-system-records --dry-runIPA DNS records: _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. [... output truncated ...] - Use the external DNS GUI to update the records.
33.10.3. Command Line: Updating External DNS Records Using nsupdate
Generating a File with the DNS Records for nsupdate
- Use the
ipa dns-update-system-records --dry-runcommand with the--outoption. The option specifies the path of the file to generate:$
ipa dns-update-system-records --dry-run --out dns_records_file.nsupdateIPA DNS records: _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. [... output truncated ...]The generated file contains the required DNS records in the format accepted by thensupdateutility. - The generated records rely on:
- Automatic detection of the zone in which the records are to be updated
- Automatic detection of the zone's authoritative server
If you are using an atypical DNS setup or if zone delegations are missing,nsupdatemight not be able to find the right zone and server. In this case, add the following options to the beginning of the generated file:serverspecifies the server name or port of the authoritative DNS server to whichnsupdatesends the recordszonespecifies the zone name of the zone wherensupdateplaces the records
Example:$
cat dns_records_file.nsupdatezone example.com. server 192.0.2.1 ; IPA DNS records update delete _kerberos-master._tcp.example.com. SRV update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. [... output truncated ...]
Submitting the Dynamic DNS Update Request to the Name Server
When sending a request using
nsupdate, make sure you properly secure it. You can secure the request using these mechanisms:
- Transaction Signature (TSIG) protocol
- TSIG enables you to use
nsupdatewith a shared key. See Procedure 33.1, “Sending annsupdateRequest Secured Using TSIG”. - GSS algorithm for TSIG (GSS-TSIG)
- GSS-TSIG uses the GSS-API interface to obtain the secret TSIG key. GSS-TSIG is an extension to the TSIG protocol. See Procedure 33.2, “Sending an
nsupdateRequest Secured Using GSS-TSIG”
Procedure 33.1. Sending an nsupdate Request Secured Using TSIG
- Make sure you meet these prerequisites:
- Run
nsupdate, and provide the shared secret using one of these options:-kto provide the TSIG authentication key:$
nsupdate -k tsig_key.file dns_records_file.nsupdate-yto generate a signature from the name of the key and from the Base64-encoded shared secret:$
nsupdate -y algorithm:keyname:secret dns_records_file.nsupdate
Procedure 33.2. Sending an nsupdate Request Secured Using GSS-TSIG
- Make sure you meet these prerequisites:
- Your DNS server must be configured for GSS-TSIG. See these server configuration examples: BIND, PowerDNS, Windows DNS.
Note
This procedure assumes that Kerberos V5 protocol is used as the technology for GSS-API. - To submit the DNS update request, authenticate with a principal allowed to update the records, and run
nsupdatewith the-goption to enable the GSS-TSIG mode:$
kinit principal_allowed_to_update_records@REALM$nsupdate -g dns_records_file.nsupdate
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.