If the DNS service is configured within the domain, IdM offers the administrator a significant amount of flexibility and control over DNS settings. For example, DNS entries for the domain, such as host entries, locations, or records, can be managed using native IdM tools, and clients can update their own DNS records dynamically.
Most documentation material and tutorials available for BIND version 9.9 are also applicable to IdM DNS, because majority of configuration options work in the same way in BIND and IdM. This chapter mostly focuses on notable differences between BIND and IdM.
33.1. BIND in Identity Management
IdM integrates BIND DNS server version 9.9 with an LDAP database used for data replication and with Kerberos for DNS update signing using the GSS-TSIG protocol . This enables convenient DNS management using IdM tools and at the same time increases resiliency because IdM-integrated DNS servers support multi-master operations, allowing all IdM-integrated DNS servers to accept DNS updates from clients without having a single point of failure.
The default IdM DNS configuration is suitable for internal networks that are not accessible from the public Internet. If the IdM DNS server is accessible from the public Internet, Red Hat recommends applying the usual hardening applicable to the BIND service, described in the Red Hat Enterprise Linux Networking Guide
It is not possible to run BIND integrated with IdM inside a
BIND integrated with IdM communicates with the Directory Server using the
bind-dyndb-ldap plug-in. IdM creates a
dynamic-db configuration section in the
/etc/named.conf file for the BIND service, which configures the
bind-dyndb-ldap plug-in for the BIND
The most notable difference between standard BIND and IdM DNS is that IdM stores all DNS information as LDAP entries. Every domain name is represented as an LDAP entry, and every resource record is stored as an LDAP attribute of the LDAP entry. For example, the following
client1.example.com. domain name contains three A records and one AAAA record:
To edit DNS data or BIND configuration, always use the IdM tools described in this chapter.