33.10. Updating DNS Records Systematically When Using External DNS
When using external DNS, Identity Management does not update the DNS records automatically after a change in the topology. The following procedures explain how you can update the DNS records managed by an external DNS service systematically, which reduces the need for manual DNS updates.
For a basic overview, see Section 33.10.1, “Updating External DNS in Identity Management”.
For procedures and examples, see:
- Section 33.10.2, “GUI: Updating External DNS Records” if you use a GUI to manage the external DNS records
- Section 33.10.3, “Command Line: Updating External DNS Records Using
nsupdate
” if you use thensupdate
utility to manage the external DNS records
33.10.1. Updating External DNS in Identity Management
Updating DNS records removes old or invalid DNS records and adds new records.
You must update DNS records after a change in your topology, for example:
- After installing or uninstalling a replica
- After installing a CA, DNS, KRA, or Active Directory trust on an Identity Management server
33.10.2. GUI: Updating External DNS Records
- Display the records that you must update. Use the ipa dns-update-system-records --dry-run command.
$ ipa dns-update-system-records --dry-run IPA DNS records: _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. [... output truncated ...]
- Use the external DNS GUI to update the records.
33.10.3. Command Line: Updating External DNS Records Using nsupdate
This section describes how to manually update external DNS records using the
nsupdate
utility. You can also use the commands from this section in a script to automate the process.
Generating a File with the DNS Records for nsupdate
- Use the ipa dns-update-system-records --dry-run command with the
--out
option. The option specifies the path of the file to generate:$ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate IPA DNS records: _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. [... output truncated ...]
The generated file contains the required DNS records in the format accepted by thensupdate
utility. - The generated records rely on:
- Automatic detection of the zone in which the records are to be updated
- Automatic detection of the zone's authoritative server
If you are using an atypical DNS setup or if zone delegations are missing,nsupdate
might not be able to find the right zone and server. In this case, add the following options to the beginning of the generated file:server
specifies the server name or port of the authoritative DNS server to whichnsupdate
sends the recordszone
specifies the zone name of the zone wherensupdate
places the records
Example:$ cat dns_records_file.nsupdate zone example.com. server 192.0.2.1 ; IPA DNS records update delete _kerberos-master._tcp.example.com. SRV update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com. [... output truncated ...]
Submitting the Dynamic DNS Update Request to the Name Server
When sending a request using
nsupdate
, make sure you properly secure it. You can secure the request using these mechanisms:
- Transaction Signature (TSIG) protocol
- TSIG enables you to use
nsupdate
with a shared key. See Procedure 33.1, “Sending annsupdate
Request Secured Using TSIG”. - GSS algorithm for TSIG (GSS-TSIG)
- GSS-TSIG uses the GSS-API interface to obtain the secret TSIG key. GSS-TSIG is an extension to the TSIG protocol. See Procedure 33.2, “Sending an
nsupdate
Request Secured Using GSS-TSIG”
Procedure 33.1. Sending an nsupdate
Request Secured Using TSIG
- Make sure you meet these prerequisites:
- Run
nsupdate
, and provide the shared secret using one of these options:-k
to provide the TSIG authentication key:$ nsupdate -k tsig_key.file dns_records_file.nsupdate
-y
to generate a signature from the name of the key and from the Base64-encoded shared secret:$ nsupdate -y algorithm:keyname:secret dns_records_file.nsupdate
Procedure 33.2. Sending an nsupdate
Request Secured Using GSS-TSIG
- Make sure you meet these prerequisites:
- Your DNS server must be configured for GSS-TSIG. See these server configuration examples: BIND, PowerDNS, Windows DNS.
NoteThis procedure assumes that Kerberos V5 protocol is used as the technology for GSS-API. - To submit the DNS update request, authenticate with a principal allowed to update the records, and run
nsupdate
with the-g
option to enable the GSS-TSIG mode:$ kinit principal_allowed_to_update_records@REALM $ nsupdate -g dns_records_file.nsupdate