Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 98. Updating DNS records systematically when using external DNS

When using external DNS, Identity Management (IdM) does not update the DNS records automatically after a change in the topology. You can update the DNS records managed by an external DNS service systematically, which reduces the need for manual DNS updates.

Updating DNS records removes old or invalid DNS records and adds new records. You must update DNS records after a change in your topology, for example:

  • After installing or uninstalling a replica
  • After installing a CA, DNS, KRA, or Active Directory trust on an IdM server

98.1. Updating external DNS records with GUI

If you have made any changes to your topology, you must update the external DNS records by using the external DNS GUI.

Procedure

  1. Display the records that you must update:

    $ ipa dns-update-system-records --dry-run
     IPA DNS records:
       _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
       _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
    [... output truncated ...]
  2. Use the external DNS GUI to update the records.

98.2. Updating external DNS records using nsupdate

You can update external DNS records using the nsupdate utility. You can also add the command to a script to automate the process. To update with the nsupdate utility, you need to generate a file with the DNS records, and then proceed with either sending an nsupdate request secured using TSIG, or sending an nsupdate request secured using the GSS-TSIG.

Procedure

  • To generate a file with the DNS records for nsupdate, use the `ipa dns-update-system-records --dry-run command with the --out option. The --out option specifies the path of the file to generate:

    $ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
     IPA DNS records:
       _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
       _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
    [... output truncated ...]

    The generated file contains the required DNS records in the format accepted by the nsupdate utility.

  • The generated records rely on:

    • Automatic detection of the zone in which the records are to be updated.
    • Automatic detection of the zone’s authoritative server.

      If you are using an atypical DNS setup or if zone delegations are missing, nsupdate might not be able to find the right zone and server. In this case, add the following options to the beginning of the generated file:

    • server: specify the server name or port of the authoritative DNS server to which nsupdate sends the records.
    • zone: specify the name of the zone where nsupdate places the records.

      Example 98.1. Generated record

      $ cat dns_records_file.nsupdate
      zone example.com.
      server 192.0.2.1
      ; IPA DNS records
      update delete _kerberos-master._tcp.example.com. SRV
      update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
      [... output truncated ...]

98.3. Sending an nsupdate request secured using TSIG

When sending a request using nsupdate, make sure you properly secure it. Transaction signature (TSIG) enables you to use nsupdate with a shared key.

Prerequisites

  • Your DNS server must be configured for TSIG.
  • Both the DNS server and its client must have the shared key.

Procedure

  • Run the nsupdate command and provide the shared secret using one of these options:

    • -k to provide the TSIG authentication key:

      $ nsupdate -k tsig_key.file dns_records_file.nsupdate
    • -y to generate a signature from the name of the key and from the Base64-encoded shared secret:

      $ nsupdate -y algorithm:keyname:secret dns_records_file.nsupdate

98.4. Sending an nsupdate request secured using GSS-TSIG

When sending a request using nsupdate, make sure you properly secure it. GSS-TSIG uses the GSS-API interface to obtain the secret TSIG key. GSS-TSIG is an extension to the TSIG protocol.

Prerequisites

  • Your DNS server must be configured for GSS-TSIG.
Note

This procedure assumes that Kerberos V5 protocol is used as the technology for GSS-API.

Procedure

  1. Authenticate with a principal allowed to update the records:

    $ kinit principal_allowed_to_update_records@REALM
  2. Run nsupdate with the -g option to enable the GSS-TSIG mode:

    $ nsupdate -g dns_records_file.nsupdate

98.5. Additional resources

  • nsupdate(8) man page
  • RFC 2845 describes the TSIG protocol
  • RFC 3645 describes the GSS-TSIG algorithm