3.5. Example: Configuring DNS Services within the IdM Domain
IdM can be configured to manage its own DNS or use an existing DNS (which is the default). Running the setup script alone does not configure DNS; this requires the
--setup-dns
option.
Warning
DNS records are vital for nearly all IdM domain functions, including running LDAP directory services, Kerberos, and Active Directory integration.
Be extremely cautious and ensure that you have a tested and functional DNS service available if the IdM domain will not use an IdM-hosted DNS server. It is critical that you have properly configured A and PTR records.
As with a basic setup, the DNS setup can either prompt for the required information or the DNS information can be passed with the script to allow an automatic or unattended setup process.
3.5.1. DNS Notes
- Wildcards cannot be used when configuring DNS names. Only explicit DNS domain names are supported.
- The
rndc
service is not configured by the--setup-dns
option. This service must be configured manually after the IdM server is configured.
3.5.2. Installing with an Integrated DNS
Example 3.4. Interactive DNS Setup
- Run the
ipa-server-install
script, using the--setup-dns
option.[root@server ~]# ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --setup-dns
- The script configures the hostname and domain name as normal.
- The script then prompts for DNS forwarders. If forwarders will be used, enter yes, and then supply the list of DNS servers. If IdM will manage its own DNS service, then enter no.
Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured
- The script sets up the NTP, Directory Server, Certificate System, Kerberos, and Apache services.
- Before completing the configuration, the script prompts to ask whether it should configure reverse DNS services. If you select yes, then it configures the
named
service.Do you want to configure the reverse zone? [yes]: yes Configuring DNS (named) [1/11]: adding DNS container [2/11]: setting up our zone [3/11]: setting up reverse zone [4/11]: setting up our own record [5/11]: setting up records for other masters [6/11]: setting up CA record [7/11]: setting up kerberos principal [8/11]: setting up named.conf [9/11]: restarting named [10/11]: configuring named to start on boot [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). ============================================================================== Setup complete
- The
ipa-dns-install
command (which is run with the install script when the--setup-dns
option is used) does not automatically configure the system'srndc
service. This must be configured manually, after DNS is configured for IdM.- Create the
rndc
configuration file and key.[root@server ~]# /usr/sbin/rndc-confgen -a [root@server ~]# /sbin/restorecon /etc/rndc.key
This may require some user input to create entropy while the key is being created. - Change the owner and permissions of the
rndc
key file.[root@server ~]# chown root:named /etc/rndc.key [root@server ~]# chmod 0640 /etc/rndc.key
- Verify that everything is working as expected, as in Section 3.3.1, “Basic Interactive Installation”.
If DNS is used with IdM, then two pieces of information are required: any DNS forwarders that will be used and whether to use reverse DNS. To perform a non-interactive setup, this information can be passed using the
--forwarder
or --no-forwarders
option and --no-reverse
option.
Example 3.5. Setting up DNS Non-Interactively
To set up a DNS server and domain for the IdM server, use the
--setup-dns
option. To configure additional forwarders, use the --forwarder
option; for multiple forwarders, use multiple invocations of --forwarder
.
[root@server ~]# ipa-server-install ... --setup-dns --forwarder=1.2.3.0 --forwarder=1.2.255.0
Some kind of forwarder information is required. If no external forwarders will be used with the IdM DNS service, then use the
--no-forwarders
option to indicate that only root servers will be used.
The script always assumes that reverse DNS is configured along with DNS, so it is not necessary to use any options to enable reverse DNS. To disable reverse DNS, use the
--no-reverse
option; if a reverse DNS zone is already configured, then using the --no-reverse
option means that existing reverse DNS zone is used.
[root@server ~]# ipa-server-install ... --setup-dns --no-reverse
The
ipa-dns-install
command (which is run with the install script when the --setup-dns
option is used) does not automatically configure the system's rndc
service. This must be configured manually, after DNS is configured for IdM.
- Create the
rndc
configuration file and key.[root@server ~]# /usr/sbin/rndc-confgen -a [root@server ~]# /sbin/restorecon /etc/rndc.key
This may require some user input to create entropy while the key is being created. - Change the owner and permissions of the
rndc
key file.[root@server ~]# chown root:named /etc/rndc.key [root@server ~]# chmod 0640 /etc/rndc.key