33.5. Managing Dynamic DNS Updates
33.5.1. Enabling Dynamic DNS Updates
ipa-client-install
script cannot add a DNS record pointing to the new client.
- The DNS zone must be configured to allow dynamic updates
- The local clients must be configured to send dynamic updates
33.5.1.1. Configuring the DNS Zone to Allow Dynamic Updates
Enabling Dynamic DNS Updates in the Web UI
- Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
Figure 33.16. DNS Zone Management
- Click on the zone name in the list of all zones to open the DNS zone page.
Figure 33.17. Editing a Master Zone
- Click Settings to switch to the DNS zone settings tab.
Figure 33.18. The Settings Tab in the Master Zone Edit Page
- Scroll down to the Dynamic update field, and set the value to True.
Figure 33.19. Enabling Dynamic DNS Updates
- Clickat the top of the page to confirm the new configuration.
Enabling Dynamic DNS Updates from the Command Line
--dynamic-update=TRUE
option. For example:
[user@server ~]$ ipa dnszone-mod server.example.com --dynamic-update=TRUE
33.5.1.2. Configuring the Clients to Send Dynamic Updates
--enable-dns-updates
option with the ipa-client-install
script.
[root@client ~]# ipa-client-install --enable-dns-updates
- Open the SSSD configuration file.
[root@server ~]# vim /etc/sssd/sssd.conf
- Find the domain section for the IdM domain.
[domain/ipa.example.com]
- If dynamic updates have not been enabled for the client, then set the
dyndns_update
value to true.dyndns_update = true
- Add or edit the
dyndns_ttl
parameter to set the value, in seconds.dyndns_ttl = 2400
33.5.2. Synchronizing A/AAAA and PTR Records
- Both forward and reverse zones must be managed by the IdM server.
- Both zones must have dynamic updates enabled.Enabling dynamic updates is covered in Section 33.5.1, “Enabling Dynamic DNS Updates”.
- PTR synchronization must be enabled for the master forward and reverse zone.
- The PTR record will be updated only if the name of the requesting client matches the name in the PTR record.
33.5.2.1. Configuring PTR Record Synchronization in the Web UI
- Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
Figure 33.20. DNS Zone Management
- Click on the zone name in the list of all zones to open the DNS zone page.
Figure 33.21. Editing a DNS Zone
- Click Settings to switch to the DNS zone settings tab.
Figure 33.22. The Settings Tab in the Master Zone Edit Page
- Select the Allow PTR sync check box.
Figure 33.23. Enabling PTR Synchronization
- Clickat the top of the page to confirm the new configuration.
33.5.2.2. Configuring PTR Record Synchronization Using the Command Line
33.5.2.2.1. Configuring PTR Record Synchronization for a Specific Zone
idm.example.com
forward zone:
- Enable dynamic updates for the forward zone:
# ipa dnszone-mod idm.example.com. --dynamic-update=TRUE
- Configure the update policy of the forward zone:
# ipa dnszone-mod idm.example.com. --update-policy='grant IDM.EXAMPLE.COM krb5-self * A; grant IDM.EXAMPLE.COM krb5-self * AAAA; grant IDM.EXAMPLE.COM krb5-self * SSHFP;'
- Enable PTR Record synchronization for the forward zone:
# ipa dnszone-mod idm.example.com. --allow-sync-ptr=True
- Enable dynamic updates for the reverse zone:
# ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE
33.5.2.2.2. Configuring PTR Record Synchronization Globally for all Zones
- To enable PTR synchronization for all zones on all servers at the same time:
# ipa dnsconfig-mod --allow-sync-ptr=true
- To enable the synchronization per-server:
- Add the
sync_ptr yes;
setting to thedyndb "ipa" "/usr/lib64/bind/ldap.so"
section in the/etc/named.conf
file:dyndb "ipa" "/usr/lib64/bind/ldap.so" { ... sync_ptr yes; };
- Restart IdM:
# ipactl restart
- Repeat the steps on each IdM server with a DNS service installed.
33.5.3. Updating DNS Dynamic Update Policies
update-policy
statement in the /etc/named.conf
file. For more information on dynamic update policies, see the BIND 9 documentation.
Updating DNS Update Policies in the Web UI
- Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
Figure 33.24. DNS Zone Management
- Click on the zone name in the list of all zones to open the DNS zone page.
Figure 33.25. Editing a DNS Zone
- Click Settings to switch to the DNS zone settings tab.
Figure 33.26. The Settings Tab in the Master Zone Edit Page
- Set the required update policies in a semi-colon separated list in the BIND update policy text box.
Figure 33.27. DNS Update Policy Settings
- Clickat the top of the DNS zone page to confirm the new configuration.
Updating DNS Update Policies from the Command Line
--update-policy
option and add the access control rule in a statement after the option. For example:
$ ipa dnszone-mod zone.example.com --update-policy "grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"