Chapter 3. Planning your DNS services and host names
Identity Management (IdM) provides different types of DNS configurations in the IdM server. The following sections describe them and provide advice on how to determine which is the best for your use case.
3.1. DNS services available in an IdM server
You can install an Identity Management (IdM) server with or without integrated DNS.
Table 3.1. Comparing IdM with integrated DNS and without integrated DNS
|With integrated DNS||Without integrated DNS|
IdM runs its own DNS service for the IdM domain.
IdM uses DNS services provided by an external DNS server.
The integrated DNS server provided by IdM only supports features related to IdM deployment and maintenance. It does not support some of the advanced DNS features. It is not designed to be used as a general-purpose DNS server.
DNS is not integrated with native IdM tools. For example, IdM does not update the DNS records automatically after a change in the topology.
Works best for:
Basic usage within the IdM deployment.
When the IdM server manages DNS, DNS is tightly integrated with native IdM tools, which enables automating some of the DNS record management tasks.
Environments where advanced DNS features beyond the scope of the IdM DNS are needed.
Environments with a well-established DNS infrastructure where you want to keep using an external DNS server.
Even if an Identity Management server is used as a primary DNS server, other external DNS servers can still be used as secondary servers. For example, if your environment is already using another DNS server, such as a DNS server integrated with Active Directory (AD), you can delegate only the IdM primary domain to the DNS integrated with IdM. It is not necessary to migrate DNS zones to the IdM DNS.
If you need to issue certificates for IdM clients with an IP address in the Subject Alternative Name (SAN) extension, you must use the IdM integrated DNS service.
3.2. Guidelines for planning the DNS domain name and Kerberos realm name
When installing the first Identity Management (IdM) server, the installation prompts for a primary DNS name of the IdM domain and Kerberos realm name. The guidelines in this section can help you set the names correctly.
You will not be able to change the IdM primary domain name and Kerberos realm name after the server is already installed. Do not expect to be able to move from a testing environment to a production environment by changing the names, for example from
- A separate DNS domain for service records
- Ensure that the primary DNS domain used for IdM is not shared with any other system. This helps avoid conflicts on the DNS level.
- Proper DNS domain name delegation
- Ensure you have valid delegation in the public DNS tree for the DNS domain. Do not use a domain name that is not delegated to you, not even on a private network.
- Multi-label DNS domain
Do not use single-label domain names, for example
.company. The IdM domain must be composed of one or more subdomains and a top level domain, for example
- A unique Kerberos realm name
- Ensure the realm name is not in conflict with any other existing Kerberos realm name, such as a name used by Active Directory (AD).
- Kerberos realm name as an upper-case version of the primary DNS name
Consider setting the realm name to an upper-case (
EXAMPLE.COM) version of the primary DNS domain name (
If you do not set the Kerberos realm name to be the upper-case version of the primary DNS name, you will not be able to use AD trusts.
Additional notes on planning the DNS domain name and Kerberos realm name
- One IdM deployment always represents one Kerberos realm.
You can join IdM clients from multiple distinct DNS domains (
example.org) to a single Kerberos realm (
IdM clients do not need to be in the primary DNS domain. For example, if the IdM domain is
idm.example.com, the clients can be in the
clients.example.comdomain, but clear mapping must be configured between the DNS domain and the Kerberos realm.Note
The standard method to create the mapping is using the _kerberos TXT DNS records. The IdM integrated DNS adds these records automatically.