Red Hat SummitChapter 9. Updating DNS records when using external DNS
Keep your IdM DNS records up to date when using an external DNS server by using the nsupdate utility or the external DNS GUI. After topology changes, update the DNS records that external servers need to discover IdM services.
9.1. Prerequisites
- Your IdM deployment uses an external DNS server rather than integrated DNS.
-
The
bind-utilspackage is installed on the system runningnsupdate.
9.2. Updating external DNS records using nsupdate
Generate a DNS records file for use with the nsupdate utility to update external DNS records after topology changes in your IdM deployment. You can also add the command to a script to automate the process.
Procedure
To generate a file with the DNS records for
nsupdate, use the `ipa dns-update-system-records --dry-runcommand with the--outoption. The--outoption specifies the path of the file to generate:$ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate IPA DNS records: _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. [... output truncated ...]The generated file contains the required DNS records in the format accepted by the
nsupdateutility.For example:
$ cat dns_records_file.nsupdate zone example.com. server 192.0.2.1 ; IPA DNS records update delete _kerberos-master._tcp.example.com. SRV update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. [... output truncated ...]The generated records rely on:
- Automatic detection of the zone in which the records are to be updated.
Automatic detection of the zone’s authoritative server.
If you are using an atypical DNS setup or if zone delegations are missing,
nsupdatemight not be able to find the right zone and server. In this case, add the following options to the beginning of the generated file:-
server: specify the server name or port of the authoritative DNS server to whichnsupdatesends the records. -
zone: specify the name of the zone wherensupdateplaces the records.
9.3. Sending an nsupdate request secured using TSIG
Send an nsupdate request secured with Transaction Signature (TSIG) to update external DNS records using a shared secret key.
Prerequisites
- Your DNS server must be configured for TSIG.
- Both the DNS server and its client must have the shared key.
Procedure
Run the
nsupdatecommand and provide the shared secret using one of these options:-kto provide the TSIG authentication key:$ nsupdate -k tsig_key.file dns_records_file.nsupdate-yto generate a signature from the name of the key and from the Base64-encoded shared secret:$ nsupdate -y algorithm:keyname:secret dns_records_file.nsupdate
9.4. Sending an nsupdate request secured using GSS-TSIG
Send an nsupdate request secured with GSS-TSIG to update external DNS records using Kerberos-based authentication instead of a static shared key.
Prerequisites
- Your DNS server must be configured for GSS-TSIG.
This procedure assumes that Kerberos V5 protocol is used as the technology for GSS-API.
Procedure
Authenticate with a principal allowed to update the records:
$ kinit principal_allowed_to_update_records@REALMRun
nsupdatewith the-goption to enable the GSS-TSIG mode:$ nsupdate -g dns_records_file.nsupdate
9.5. Updating external DNS records with GUI
Update external DNS records using the external DNS GUI to reflect topology changes in your IdM deployment.
Procedure
Display the records that you must update:
$ ipa dns-update-system-records --dry-run IPA DNS records: _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. [... output truncated ...]- Use the external DNS GUI to update the records.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}