Product SiteDocumentation Site

Chapter 8. Identity: Managing DNS

8.1. About DNS in IPA
8.2. Configuring DNS in Identity Management
8.3. Configuring the bind-dyndb-ldap Plug-in
8.4. Changing Recursive Queries Against Forwarders
8.5. Adding DNS Zones
8.5.1. Adding DNS Zones from the Web UI
8.5.2. Adding DNS Zones from the Command Line
8.6. Modifying DNS Zones
8.6.1. Editing the Zone Configuration in the Web UI
8.6.2. Editing the Zone Configuration in the Command Line
8.7. Enabling Dynamic DNS Updates
8.7.1. Enabling Dynamic DNS Updates in the Web UI
8.7.2. Enabling Dynamic DNS Updates in the Command Line
8.8. Enabling and Disabling Zones
8.8.1. Disabling Zones in the Web UI
8.8.2. Disabling Zones in the Command Line
8.9. Adding Records to DNS Zones
8.9.1. Adding DNS Resource Records from the Web UI
8.9.2. Adding DNS Resource Records from the Command Line
8.10. Deleting Records from DNS Zones
8.10.1. Deleting Records with the Web UI
8.10.2. Deleting Records with the Command Line
8.11. Resolving Hostnames in the IPA Domain
8.12. Changing Load Balancing for IPA Servers and Replicas
If the IPA server was installed with DNS configured, then all of the DNS entries for the domain — host entries, locations, records — can be managed using the IPA tools.

8.1. About DNS in IPA

DNS is one of the services that can be configured and maintained by the IPA domain. DNS is critical to the performance of the IPA domain; DNS is used for the Kerberos services and SSL connections for all servers and clients and for connections to domain services like LDAP.
While IPA can use an external DNS service, there is a lot more flexibility and control over IPA — DNS interactions when the DNS service is configured within the domain. For example, DNS records and zones can be managed within the domain using IPA tools, and clients can update their own DNS records dynamically. When a host is added to IPA, a DNS record is automatically created in IPA's DNS service for that host machine.
IPA stores all DNS information as LDAP entries. Every resource record for each machine is stored for the domain. For example, the client1 resource has three IPv4 (A) records and one IPv6 (AAAA) record: 
dn: idnsname=client1,idnsname=example.com,cn=dns,dc=example,dc=com
idnsname: client1
arecord: 10.0.0.1
arecord: 10.0.0.2
arecord: 10.0.0.3
aaaarecord: fc00::1
objectclass: top
objectclass: idnsrecord
The schema used to define the DNS entries is in the /usr/share/ipa/60basev2.ldif schema file[1].
The BIND service communicates with the Directory Server using the system bind-dyndb-ldap plug-in. When Identity Management is configured to manage DNS (Section 8.2, “Configuring DNS in Identity Management”), IPA creates a dynamic-db configuration section in the /etc/named.conf file for the BIND service. This configures the bind-dyndb-ldap plug-in for the BIND (named) service.
When this plug-in is properly configured, it delivers the DNS records from the Directory Server to the named service. The configuration can be changed to adapt the behavior of the plug-in and, therefore, the LDAP-BIND interactions.
The ipa command has several subcommands to manage the DNS service.
Table 8.1. DNS Management Tools
Command Description
dns-resolve Resolves a hostname to see if it exists within the IPA domain.
dnsrecord-add, dnsrecord-mod, and dnsrecord-del Adds, edits, and deletes DNS records.
dnsrecord-find and dnsrecord-show Finds and displays DNS records.
dnszone-add and dnszone-del Adds and deletes DNS SOA records.
dnszone-enable and dnszone-disable Enables and disables DNS zones. These tools control whether a DNS zone is active and available without deleting the configuration entries in the LDAP directory.
dnszone-find and dnszone-show Finds and displays DNS zone configuration.


[1] Any updated schema files, included updated DNS schema elements, are located in the /usr/share/ipa/updates directory.