Red Hat SummitChapter 2. Managing DNS zones in IdM
Manage Identity Management (IdM) DNS zones to control how the network resolves names. You can add, remove, and configure primary zones to maintain a healthy DNS infrastructure.
2.1. Prerequisites
DNS service is installed on the IdM server. For more information about how to install an IdM server with integrated DNS, see one of the following links:
- You understand which DNS zone types are supported in IdM.
2.2. Adding a primary DNS zone in IdM Web UI
Create a new primary DNS zone using the Identity Management (IdM) Web UI. This graphical interface provides an intuitive way to name and initialize subdomains within the IdM environment.
Prerequisites
- You are logged in as IdM administrator.
Procedure
In the IdM Web UI, click
Network ServicesDNSDNS Zones.Managing IdM DNS primary zones
- Click at the top of the list of all zones.
Provide the zone name.
Entering an new IdM primary zone
- Click .
2.3. Adding a primary DNS zone in IdM CLI
Add new subdomains to the DNS domain by executing the ipa dnszone-add command. This command allows for direct input of the zone name or provides interactive prompts for missing details.
Prerequisites
- You are logged in as IdM administrator.
Procedure
The
ipa dnszone-addcommand adds a new zone to the DNS domain. Adding a new zone requires you to specify the name of the new subdomain. You can pass the subdomain name directly with the command:$ ipa dnszone-add newzone.idm.example.comIf you do not pass the name to
ipa dnszone-add, the script prompts for it automatically.
2.4. Removing a primary DNS zone in IdM Web UI
Delete unnecessary DNS zones through the Network Services section of the IdM Web UI. Removing a zone permanently deletes its associated records from the Identity Management database.
Prerequisites
- You are logged in as IdM administrator.
Procedure
-
In the IdM Web UI, click
Network ServicesDNSDNS Zones. Select the check box by the zone name and click .
Removing a primary DNS Zone
- In the Remove DNS zones dialog window, confirm that you want to delete the selected zone.
2.5. Removing a primary DNS zone in IdM CLI
Remove a primary DNS zone by using the ipa dnszone-del command. Specifying the target zone name instantly deletes the entry and its configuration from the IdM server.
Prerequisites
- You are logged in as IdM administrator.
Procedure
To remove a primary DNS zone, enter the
ipa dnszone-delcommand, followed by the name of the zone you want to remove. For example:$ ipa dnszone-del idm.example.com
2.6. DNS configuration priorities
IdM applies DNS settings based on a specific hierarchy. Zone-specific settings take the highest priority, followed by per-server and global configurations, while manual entries in /etc/named.conf carry the lowest weight.
- Zone-specific configuration
-
The level of configuration specific for a particular zone defined in IdM has the highest priority. You can manage zone-specific configuration by using the
ipa dnszone-*andipa dnsforwardzone-*commands. - Per-server configuration
-
You are asked to define per-server forwarders during the installation of an IdM server. You can manage per-server forwarders by using the
ipa dnsserver-*commands. If you do not want to set a per-server forwarder when installing a replica, you can use the--no-forwarderoption. - Global DNS configuration
-
If no zone-specific configuration is defined, IdM uses global DNS configuration stored in LDAP. You can manage global DNS configuration using the
ipa dnsconfig-*commands. Settings defined in global DNS configuration are applied to all IdM DNS servers. - Configuration in
/etc/named.conf Configuration defined in the
/etc/named.conffile on each IdM DNS server has the lowest priority. It is specific for each server and must be edited manually.The
/etc/named.conffile is usually only used to specify DNS forwarding to a local DNS cache. Other options are managed using the commands for zone-specific and global DNS configuration mentioned above.
You can configure DNS options on multiple levels at the same time. In such cases, configuration with the highest priority takes precedence over configuration defined at lower levels.
2.7. Configuration attributes of primary IdM DNS zones
Identity Management (IdM) initializes zones with default settings for refresh periods, transfers, and caching. You can modify these attributes to control SOA record behavior and update frequency via the CLI or Web UI.
In IdM DNS zone attributes, you can find the attributes of the default zone configuration that you can modify using one of the following options:
-
The
dnszone-modcommand on the command line (CLI). For more information, see Editing the configuration of a primary DNS zone in IdM CLI. - The IdM Web UI. For more information, see Editing the configuration of a primary DNS zone in IdM Web UI.
Along with setting the actual information for the zone, the settings define how the DNS server handles the start of authority (SOA) record entries and how it updates its records from the DNS name server.
| Attribute | Command-Line Option | Description |
|---|---|---|
| Authoritative name server |
| Sets the domain name of the primary DNS name server, also known as SOA MNAME.
By default, each IdM server advertises itself in the SOA MNAME field. Consequently, the value stored in LDAP using |
| Administrator e-mail address |
| Sets the email address to use for the zone administrator. This defaults to the root account on the host. |
| SOA serial |
| Sets a serial number in the SOA record. Note that IdM sets the version number automatically and users are not expected to modify it. |
| SOA refresh |
| Sets the interval, in seconds, for a secondary DNS server to wait before requesting updates from the primary DNS server. |
| SOA retry |
| Sets the time, in seconds, to wait before retrying a failed refresh operation. |
| SOA expire |
| Sets the time, in seconds, that a secondary DNS server will try to perform a refresh update before ending the operation attempt. |
| SOA minimum |
| Sets the time to live (TTL) value in seconds for negative caching according to RFC 2308. |
| SOA time to live |
|
Sets TTL in seconds for records at zone apex. In zone |
| Default time to live |
| Sets the default time to live (TTL) value in seconds for negative caching for all values in a zone that never had an individual TTL value set before. |
| BIND update policy |
| Sets the permissions allowed to clients in the DNS zone. |
| Dynamic update |
| Enables dynamic updates to DNS records for clients. Note that if this is set to false, IdM client machines will not be able to add or update their IP address. |
| Allow transfer |
| Gives a list of IP addresses or network names which are allowed to transfer the given zone, separated by semicolons (;).
Zone transfers are disabled by default. The default |
| Allow query |
| Gives a list of IP addresses or network names which are allowed to issue DNS queries, separated by semicolons (;). |
| Allow PTR sync |
| Sets whether A or AAAA records (forward records) for the zone will be automatically synchronized with the PTR (reverse) records. |
| Zone forwarders |
| Specifies a forwarder specifically configured for the DNS zone. This is separate from any global forwarders used in the IdM domain. To specify multiple forwarders, use the option multiple times. |
| Forward policy |
| Specifies the forward policy. For information about the supported policies, see DNS forward policies in IdM. |
2.8. Editing the configuration of a primary DNS zone in IdM Web UI
Modify zone configuration attributes such as TTL and refresh intervals through the Settings tab in the IdM Web UI. Changes to most attributes take effect immediately across the IdM environment.
Prerequisites
- You are logged in as IdM administrator.
Procedure
In the IdM Web UI, click
Network ServicesDNSDNS Zones.DNS primary zones management
In the
DNS Zonessection, click on the zone name in the list of all zones to open the DNS zone page.Editing a primary zone
Click
Settings.The Settings tab in the primary zone edit page
Change the zone configuration as required.
For information about the available settings, see IdM DNS zone attributes.
Click to confirm the new configuration.
NoteIf you are changing the default time to live (TTL) of a zone, restart the
namedservice on all IdM DNS servers to make the changes take effect. All other settings are automatically activated immediately.
2.9. Editing the configuration of a primary DNS zone in IdM CLI
Update existing DNS zone settings with the ipa dnszone-mod command. This tool overwrites current values or adds new ones for specific attributes like retry intervals and update policies.
Prerequisites
- You are logged in as IdM administrator.
Procedure
To modify an existing primary DNS zone, use the
ipa dnszone-modcommand. For example, to set the time to wait before retrying a failed refresh operation to 1800 seconds:$ ipa dnszone-mod --retry 1800For more information about the available settings and their corresponding CLI options, see IdM DNS zone attributes.
If a specific setting does not have a value in the DNS zone entry you are modifying, the
ipa dnszone-modcommand adds the value. If the setting does not have a value, the command overwrites the current value with the specified value.NoteIf you are changing the default time to live (TTL) of a zone, restart the
namedservice on all IdM DNS servers to make the changes take effect. All other settings are automatically activated immediately.
2.10. Zone transfers in IdM
Zone transfers copy resource records between name servers to ensure data consistency. Identity Management (IdM) supports the AXFR and IXFR standards to distribute authoritative data to servers outside the primary zone.
In an Identity Management (IdM) deployment that has integrated DNS, you can use zone transfers to copy all resource records from one name server to another. Name servers maintain authoritative data for their zones. If you make changes to the zone on a DNS server that is authoritative for zone A DNS zone, you must distribute the changes among the other name servers in the IdM DNS domain that are outside zone A.
The IdM-integrated DNS can be written to by different servers simultaneously. The Start of Authority (SOA) serial numbers in IdM zones are not synchronized among the individual IdM DNS servers. For this reason, configure your DNS servers outside the to-be-transferred zone to only use one specific DNS server inside the to-be-transferred zone. This prevents zone transfer failures caused by non-synchronized SOA serial numbers.
IdM supports zone transfers according to the RFC 5936 (AXFR) and RFC 1995 (IXFR) standards.
2.11. Enabling zone transfers in IdM Web UI
Authorize specific name servers to receive zone records by updating the Allow Transfer settings in the IdM Web UI. This creates a secure list of IP addresses permitted to request full zone data.
Prerequisites
- You are logged in as IdM administrator.
Procedure
-
In the IdM Web UI, click
Network ServicesDNSDNS Zones. -
Click
Settings. Under
Allow transfer, specify the name servers to which you want to transfer the zone records.Figure 2.1. Enabling zone transfers
- Click at the top of the DNS zone page to confirm the new configuration.
2.12. Enabling zone transfers in IdM CLI
Use the ipa dnszone-mod command with the --allow-transfer option to enable data distribution. This defines which external name servers can synchronize with the BIND service on the IdM host.
Prerequisites
- You are logged in as IdM administrator.
- You have root access to the secondary DNS servers.
Procedure
To enable zone transfers in the
BINDservice, enter theipa dnszone-modcommand, and specify the list of name servers that are outside the to-be-transferred zone to which the zone records will be transferred using the--allow-transferoption. For example:$ ipa dnszone-mod --allow-transfer=192.0.2.1;198.51.100.1;203.0.113.1 idm.example.com
Verification
SSH to one of the DNS servers to which zone transfer has been enabled:
$ ssh 192.0.2.1Transfer the IdM DNS zone using a tool such as the
digutility:# dig @ipa-server zone_name AXFR
If the command returns no error, you have successfully enabled zone transfer for zone_name.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}