Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 33. Managing DNS

An Identity Management server can be installed without integrated DNS services so that it uses an external DNS service or with DNS configured. See Section 2.3, “Installing an IdM Server: Introduction” and Section 2.3.1, “Determining Whether to Use Integrated DNS” for details.
If the DNS service is configured within the domain, IdM offers the administrator a significant amount of flexibility and control over DNS settings. For example, DNS entries for the domain, such as host entries, locations, or records, can be managed using native IdM tools, and clients can update their own DNS records dynamically.
Most documentation material and tutorials available for BIND version 9.9 are also applicable to IdM DNS, because majority of configuration options work in the same way in BIND and IdM. This chapter mostly focuses on notable differences between BIND and IdM.

33.1. BIND in Identity Management

IdM integrates BIND DNS server version 9.9 with an LDAP database used for data replication and with Kerberos for DNS update signing using the GSS-TSIG protocol [3]. This enables convenient DNS management using IdM tools and at the same time increases resiliency because IdM-integrated DNS servers support multi-master operations, allowing all IdM-integrated DNS servers to accept DNS updates from clients without having a single point of failure.
The default IdM DNS configuration is suitable for internal networks that are not accessible from the public Internet. If the IdM DNS server is accessible from the public Internet, Red Hat recommends applying the usual hardening applicable to the BIND service, described in the Red Hat Enterprise Linux Networking Guide.

Note

It is not possible to run BIND integrated with IdM inside a chroot environment.
BIND integrated with IdM communicates with the Directory Server using the bind-dyndb-ldap plug-in. IdM creates a dynamic-db configuration section in the /etc/named.conf file for the BIND service, which configures the bind-dyndb-ldap plug-in for the BIND named-pkcs11 service.
The most notable difference between standard BIND and IdM DNS is that IdM stores all DNS information as LDAP entries. Every domain name is represented as an LDAP entry, and every resource record is stored as an LDAP attribute of the LDAP entry. For example, the following client1.example.com. domain name contains three A records and one AAAA record:
dn: idnsname=client1,idnsname=example.com.,cn=dns,dc=idm,dc=example,dc=com
objectclass: top
objectclass: idnsrecord
idnsname: client1
Arecord: 192.0.2.1
Arecord: 192.0.2.2
Arecord: 192.0.2.3
AAAArecord: 2001:DB8::ABCD

Important

To edit DNS data or BIND configuration, always use the IdM tools described in this chapter.


[3] For more information about GSS-TSIG, see RFC 3545.