Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 97. Managing DNS records in IdM

This chapter describes how to manage DNS records in Identity Management (IdM). As an IdM administrator, you can add, modify and delete DNS records in IdM. The chapter contains the following sections:

Prerequisites

97.1. DNS records in IdM

Identity Management (IdM) supports many different DNS record types. The following four are used most frequently:

A

This is a basic map for a host name and an IPv4 address. The record name of an A record is a host name, such as www. The IP Address value of an A record is an IPv4 address, such as 192.0.2.1.

For more information about A records, see RFC 1035.

AAAA

This is a basic map for a host name and an IPv6 address. The record name of an AAAA record is a host name, such as www. The IP Address value is an IPv6 address, such as 2001:DB8::1111.

For more information about AAAA records, see RFC 3596.

SRV

Service (SRV) resource records map service names to the DNS name of the server that is providing that particular service. For example, this record type can map a service like an LDAP directory to the server which manages it.

The record name of an SRV record has the format _service._protocol, such as _ldap._tcp. The configuration options for SRV records include priority, weight, port number, and host name for the target service.

For more information about SRV records, see RFC 2782.

PTR

A pointer record (PTR) adds a reverse DNS record, which maps an IP address to a domain name.

Note

All reverse DNS lookups for IPv4 addresses use reverse entries that are defined in the in-addr.arpa. domain. The reverse address, in human-readable form, is the exact reverse of the regular IP address, with the in-addr.arpa. domain appended to it. For example, for the network address 192.0.2.0/24, the reverse zone is 2.0.192.in-addr.arpa.

The record name of a PTR must be in the standard format specified in RFC 1035, extended in RFC 2317, and RFC 3596. The host name value must be a canonical host name of the host for which you want to create the record.

Note

Reverse zones can also be configured for IPv6 addresses, with zones in the .ip6.arpa. domain. For more information about IPv6 reverse zones, see RFC 3596.

When adding DNS resource records, note that many of the records require different data. For example, a CNAME record requires a host name, while an A record requires an IP address. In the IdM Web UI, the fields in the form for adding a new record are updated automatically to reflect what data is required for the currently selected type of record.

97.2. Adding DNS resource records in the IdM Web UI

Follow this procedure to add DNS resource records in the Identity Management (IdM) Web UI.

Prerequisites

  • The DNS zone to which you want to add a DNS record exists and is managed by IdM. For more information about creating a DNS zone in IdM DNS, see Managing DNS zones in IdM.
  • You are logged in as IdM administrator.

Procedure

  1. In the IdM Web UI, click Network ServicesDNSDNS Zones.
  2. Click the DNS zone to which you want to add a DNS record.

  3. In the DNS Resource Records section, click Add to add a new record.

    Figure 97.1. Adding a New DNS Resource Record

    Screenshot of the DNS Resource Records page for the zone zone.example.com displaying several DNS records. The "Add" button to the upper-right of the page is highlighted.

  4. Select the type of record to create and fill out the other fields as required.

    Figure 97.2. Defining a New DNS Resource Record

    Screenshot of the "Add DNS Resource Record" pop-up window. The "Record name" and "Hostname" fields have been filled in and the "Record Type" has been chosen from a drop-down menu. The "Add" button is at the bottom of the window.
  5. Click Add to confirm the new record.

97.3. Adding DNS resource records from the IdM CLI

Follow this procedure to add a DNS resource record of any type from the command line interface (CLI).

Prerequisites

  • The DNS zone to which you want to add a DNS records exists. For more information about creating a DNS zone in IdM DNS, see Managing DNS zones in IdM.
  • You are logged in as IdM administrator.

Procedure

  1. To add a DNS resource record, use the ipa dnsrecord-add command. The command follows this syntax: 

    $ ipa dnsrecord-add zone_name record_name --record_type_option=data

    In the command above:

    • The zone_name is the name of the DNS zone to which the record is being added.
    • The record_name is an identifier for the new DNS resource record.

    For example, to add an A type DNS record of host1 to the idm.example.com zone, enter: 

    $ ipa dnsrecord-add idm.example.com host1 --a-rec=192.168.122.123

97.4. Common ipa dnsrecord-* options

You can use the following options when adding, modifying and deleting the most common DNS resource record types in Identity Management (IdM):

  • A (IPv4)
  • AAAA (IPv6)
  • SRV
  • PTR

In Bash, you can define multiple entries by listing the values in a comma-separated list inside curly braces, such as --⁠option={val1,val2,val3}.

Table 97.1. General Record Options

OptionDescription

--ttl=number

Sets the time to live for the record.

--structured

Parses the raw DNS records and returns them in a structured format.

Table 97.2. "A" record options

OptionDescriptionExamples

--a-rec=ARECORD

Passes a single A record or a list of A records.

ipa dnsrecord-add idm.example.com host1 --a-rec=192.168.122.123

Can create a wildcard A record with a given IP address.

ipa dnsrecord-add idm.example.com "*" --a-rec=192.168.122.123 [a]

--a-ip-address=string

Gives the IP address for the record. When creating a record, the option to specify the A record value is --a-rec. However, when modifying an A record, the --a-rec option is used to specify the current value for the A record. The new value is set with the --a-ip-address option.

ipa dnsrecord-mod idm.example.com --a-rec 192.168.122.123 --a-ip-address 192.168.122.124

[a] The example creates a wildcard A record with the IP address of 192.0.2.123.

Table 97.3. "AAAA" record options

OptionDescriptionExample

--aaaa-rec=AAAARECORD

Passes a single AAAA (IPv6) record or a list of AAAA records.

ipa dnsrecord-add idm.example.com www --aaaa-rec 2001:db8::1231:5675

--aaaa-ip-address=string

Gives the IPv6 address for the record. When creating a record, the option to specify the A record value is --aaaa-rec. However, when modifying an A record, the --aaaa-rec option is used to specify the current value for the A record. The new value is set with the --a-ip-address option.

ipa dnsrecord-mod idm.example.com --aaaa-rec 2001:db8::1231:5675 --aaaa-ip-address 2001:db8::1231:5676

Table 97.4. "PTR" record options

OptionDescriptionExample

--ptr-rec=PTRRECORD

Passes a single PTR record or a list of PTR records. When adding the reverse DNS record, the zone name used with the ipa dnsrecord-add command is reversed, compared to the usage for adding other DNS records. Typically, the host IP address is the last octet of the IP address in a given network. The first example on the right adds a PTR record for server4.idm.example.com with IPv4 address 192.168.122.4. The second example adds a reverse DNS entry to the 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IPv6 reverse zone for the host server2.example.com with the IP address 2001:DB8::1111.

ipa dnsrecord-add 122.168.192.in-addr.arpa 4 --ptr-rec server4.idm.example.com.

$ ipa dnsrecord-add 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 1.1.1.0.0.0.0.0.0.0.0.0.0.0.0 --ptr-rec server2.idm.example.com.

--ptr-hostname=string

Gives the host name for the record.

 

Table 97.5. "SRV" Record Options

OptionDescriptionExample

--srv-rec=SRVRECORD

Passes a single SRV record or a list of SRV records. In the examples on the right, _ldap._tcp defines the service type and the connection protocol for the SRV record. The --srv-rec option defines the priority, weight, port, and target values. The weight values of 51 and 49 in the examples add up to 100 and represent the probability, in percentages, that a particular record is used.

# ipa dnsrecord-add idm.example.com _ldap._tcp --srv-rec="0 51 389 server1.idm.example.com."

# ipa dnsrecord-add server.idm.example.com _ldap._tcp --srv-rec="1 49 389 server2.idm.example.com."

--srv-priority=number

Sets the priority of the record. There can be multiple SRV records for a service type. The priority (0 - 65535) sets the rank of the record; the lower the number, the higher the priority. A service has to use the record with the highest priority first.

# ipa dnsrecord-mod server.idm.example.com _ldap._tcp --srv-rec="1 49 389 server2.idm.example.com." --srv-priority=0

--srv-weight=number

Sets the weight of the record. This helps determine the order of SRV records with the same priority. The set weights should add up to 100, representing the probability (in percentages) that a particular record is used.

# ipa dnsrecord-mod server.idm.example.com _ldap._tcp --srv-rec="0 49 389 server2.idm.example.com." --srv-weight=60

--srv-port=number

Gives the port for the service on the target host.

# ipa dnsrecord-mod server.idm.example.com _ldap._tcp --srv-rec="0 60 389 server2.idm.example.com." --srv-port=636

--srv-target=string

Gives the domain name of the target host. This can be a single period (.) if the service is not available in the domain.

 

Additional resources

  • Run ipa dnsrecord-add --help.

97.5. Deleting DNS records in the IdM Web UI

Follow this procedure to delete DNS records in Identity Management (IdM) using the IdM Web UI.

Prerequisites

  • You are logged in as IdM administrator.

Procedure

  1. In the IdM Web UI, click Network ServicesDNSDNS Zones.
  2. Click the zone from which you want to delete a DNS record, for example example.com..

  3. In the DNS Resource Records section, click the name of the resource record.

    Figure 97.3. Selecting a DNS Resource Record

    A screenshot of the "DNS Resource Records" page displaying information for the zone.example.com zone. The entry for the "dns" record name is highlighted.
  4. Select the check box by the name of the record type to delete.

  5. Click Delete.

    Figure 97.4. Deleting a DNS Resource Record

    A screenshot of the "Standard Record Types" page displaying entries for "A" "AAAA" and "CNAME" records. The checkbox in the CNAME table for the dns.example.com entry has been checked and the "Delete" button pertaining to CNAME entries has been highlighted.

The selected record type is now deleted. The other configuration of the resource record is left intact.

Additional resources

97.6. Deleting an entire DNS record in the IdM Web UI

Follow this procedure to delete all the records for a particular resource in a zone using the Identity Management (IdM) Web UI.

Prerequisites

  • You are logged in as IdM administrator.

Procedure

  1. In the IdM Web UI, click Network ServicesDNSDNS Zones.
  2. Click the zone from which you want to delete a DNS record, for example zone.example.com..
  3. In the DNS Resource Records section, select the check box of the resource record to delete.

  4. Click Delete.

    Figure 97.5. Deleting an Entire Resource Record

    A screenshot of the "DNS Resource Records" page displaying information for the zone.example.com zone. The entry for the "dns" record name has been chosen and the "Delete" button at the top right is highlighted.

The entire resource record is now deleted.

97.7. Deleting DNS records in the IdM CLI

Follow this procedure to remove DNS records from a zone managed by the Identity Management (IdM) DNS.

Prerequisites

  • You are logged in as IdM administrator.

Procedure

  • To remove records from a zone, use the ipa dnsrecord-del command and add the --recordType-rec option together with the record value. For example, to remove an A type record: 

    $ ipa dnsrecord-del example.com www --a-rec 192.0.2.1

    If you run ipa dnsrecord-del without any options, the command prompts for information about the record to delete. Note that passing the --del-all option with the command removes all associated records for the zone.

Additional resources

  • Run the ipa dnsrecord-del --help command.

97.8. Additional resources