33.5. Managing Dynamic DNS Updates

33.5.1. Enabling Dynamic DNS Updates

Dynamic DNS updates are disabled by default for new DNS zones in IdM. With dynamic updates disabled, the ipa-client-install script cannot add a DNS record pointing to the new client.

Note

Enabling dynamic updates can potentially pose a security risk. However, if enabling dynamic updates is acceptable in your environment, you can do it to make client installations easier.
Enabling dynamic updates requires the following:
  • The DNS zone must be configured to allow dynamic updates
  • The local clients must be configured to send dynamic updates

33.5.1.1. Configuring the DNS Zone to Allow Dynamic Updates

Enabling Dynamic DNS Updates in the Web UI

  1. Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
    DNS Zone Management

    Figure 33.16. DNS Zone Management

  2. Click on the zone name in the list of all zones to open the DNS zone page.
    Editing a Master Zone

    Figure 33.17. Editing a Master Zone

  3. Click Settings to switch to the DNS zone settings tab.
    The Settings Tab in the Master Zone Edit Page

    Figure 33.18. The Settings Tab in the Master Zone Edit Page

  4. Scroll down to the Dynamic update field, and set the value to True.
    Enabling Dynamic DNS Updates

    Figure 33.19. Enabling Dynamic DNS Updates

  5. Click Save at the top of the page to confirm the new configuration.

Enabling Dynamic DNS Updates from the Command Line

To allow dynamic updates to the DNS zones from the command line, use the ipa dnszone-mod command with the --dynamic-update=TRUE option. For example: 
[user@server ~]$ ipa dnszone-mod server.example.com --dynamic-update=TRUE

33.5.1.2. Configuring the Clients to Send Dynamic Updates

Clients are automatically set up to send DNS updates when they are enrolled in the domain, by using the --enable-dns-updates option with the ipa-client-install script. 
[root@client ~]# ipa-client-install --enable-dns-updates
The DNS zone has a time to live (TTL) value set for records within its SOA configuration. However, the TTL for the dynamic updates is managed on the local system by the System Security Service Daemon (SSSD). To change the TTL value for the dynamic updates, edit the SSSD file to set a value; the default is 1200 seconds.
  1. Open the SSSD configuration file. 
    [root@server ~]# vim /etc/sssd/sssd.conf
  2. Find the domain section for the IdM domain. 
    [domain/ipa.example.com]
  3. If dynamic updates have not been enabled for the client, then set the dyndns_update value to true. 
    dyndns_updates = true
  4. Add or edit the dyndns_ttl parameter to set the value, in seconds. 
    dyndns_ttl = 2400

33.5.2. Synchronizing A/AAAA and PTR Records

A and AAAA records are configured separately from PTR records in reverse zones. Because these records are configured independently, it is possible for A/AAAA records to exist without corresponding PTR records, and vice versa.
There are some DNS setting requirements for PTR synchronization to work:
  • Both forward and reverse zones must be managed by the IdM server.
  • Both zones must have dynamic updates enabled.
    Enabling dynamic updates is covered in Section 33.5.1, “Enabling Dynamic DNS Updates”.
  • PTR synchronization must be enabled for the master forward zone, not for the reverse zone.
  • The PTR record will be updated only if the name of the requesting client matches the name in the PTR record.

Important

Changes made through the IdM web UI, through the IdM command-line tools, or by editing the LDAP entry directly do not update the PTR record. Only changes made by the DNS service itself trigger PTR record synchronization.

Warning

A client system can update its own IP address. This means that a compromised client can be used to overwrite PTR records by changing its IP address.

Configuring PTR Record Synchronization in the Web UI

Note that PTR record synchronization must be configured on the zone where A or AAAA records are stored, not on the reverse DNS zone where PTR records are located.
  1. Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
    DNS Zone Management

    Figure 33.20. DNS Zone Management

  2. Click on the zone name in the list of all zones to open the DNS zone page.
    Editing a DNS Zone

    Figure 33.21. Editing a DNS Zone

  3. Click Settings to switch to the DNS zone settings tab.
    The Settings Tab in the Master Zone Edit Page

    Figure 33.22. The Settings Tab in the Master Zone Edit Page

  4. Select the Allow PTR sync check box.
    Enabling PTR Synchronization

    Figure 33.23. Enabling PTR Synchronization

  5. Click Save at the top of the page to confirm the new configuration.

Configuring PTR Record Synchronization from the Command Line

Note that PTR record synchronization must be configured on the zone where A or AAAA records are stored, not on the reverse DNS zone where PTR records are located.
To configure a DNS zone to allow its forward and reverse entries to be synchronized automatically, set the --allow-sync-ptr option to 1 when the zone is created or when it is edited. For example, using the ipa dnszone-mod command when editing an existing zone: 
[user@server ~]$ ipa dnszone-mod --allow-sync-ptr=1 zone.example.com
The default --allow-sync-ptr value is 0, which disables synchronization.

33.5.3. Updating DNS Dynamic Update Policies

DNS domains maintained by IdM servers can accept a DNS dynamic update according to RFC 3007[4].
The rules that determine which records can be modified by a specific client follow the same syntax as the update-policy statement in the /etc/named.conf file. For more information on dynamic update policies, see the BIND 9 documentation.
Note that if dynamic DNS updates are disabled for the DNS zone, all DNS updates are declined without reflecting the dynamic update policy statement. For information on enabling dynamic DNS updates, see Section 33.5.1, “Enabling Dynamic DNS Updates”.

Updating DNS Update Policies in the Web UI

  1. Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
    DNS Zone Management

    Figure 33.24. DNS Zone Management

  2. Click on the zone name in the list of all zones to open the DNS zone page.
    Editing a DNS Zone

    Figure 33.25. Editing a DNS Zone

  3. Click Settings to switch to the DNS zone settings tab.
    The Settings Tab in the Master Zone Edit Page

    Figure 33.26. The Settings Tab in the Master Zone Edit Page

  4. Set the required update policies in a semi-colon separated list in the BIND update policy text box.
    DNS Update Policy Settings

    Figure 33.27. DNS Update Policy Settings

  5. Click Save at the top of the DNS zone page to confirm the new configuration.

Updating DNS Update Policies from the Command Line

To set the DNS update policy from the command line, use the --update-policy option and add the access control rule in a statement after the option. For example: 
$ ipa dnszone-mod zone.example.com --update-policy "grant EXAMPLE.COM  krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM  krb5-self * SSHFP;"

[4] For the full text of RFC 3007, see http://tools.ietf.org/html/rfc3007