Chapter 33. Managing DNS
An Identity Management server can be installed without integrated DNS services so that it uses an external DNS service or with DNS configured. See Section 2.3, “Installing an IdM Server: Introduction” and Section 2.3.1, “Determining Whether to Use Integrated DNS” for details.
If the DNS service is configured within the domain, IdM offers the administrator a significant amount of flexibility and control over DNS settings. For example, DNS entries for the domain, such as host entries, locations, or records, can be managed using native IdM tools, and clients can update their own DNS records dynamically.
Most documentation material and tutorials available for BIND version 9.9 are also applicable to IdM DNS, because majority of configuration options work in the same way in BIND and IdM. This chapter mostly focuses on notable differences between BIND and IdM.
33.1. BIND in Identity Management
IdM integrates BIND DNS server version 9.9 with an LDAP database used for data replication and with Kerberos for DNS update signing using the GSS-TSIG protocol [3]. This enables convenient DNS management using IdM tools and at the same time increases resiliency because IdM-integrated DNS servers support multi-master operations, allowing all IdM-integrated DNS servers to accept DNS updates from clients without having a single point of failure.
The default IdM DNS configuration is suitable for internal networks that are not accessible from the public Internet. If the IdM DNS server is accessible from the public Internet, Red Hat recommends applying the usual hardening applicable to the BIND service, described in the Red Hat Enterprise Linux Networking Guide.
Note
It is not possible to run BIND integrated with IdM inside a
chroot
environment.
The
BIND (Berkeley Internet Name Domain)
implementation of the DNS (Domain Name System) protocols in Red Hat Enterprise Linux includes the named
DNS server. named-pkcs11
is a version of the BIND
DNS server built with native support for the PKCS#11 cryptographic standard.
BIND integrated with IdM communicates with the Directory Server using the
bind-dyndb-ldap
plug-in. IdM creates a dynamic-db
configuration section in the /etc/named.conf
file for the BIND service, which configures the bind-dyndb-ldap
plug-in for the BIND named-pkcs11
service.
The most notable difference between standard BIND and IdM DNS is that IdM stores all DNS information as LDAP entries. Every domain name is represented as an LDAP entry, and every resource record is stored as an LDAP attribute of the LDAP entry. For example, the following
client1.example.com.
domain name contains three A records and one AAAA record:
dn: idnsname=client1,idnsname=example.com.,cn=dns,dc=idm,dc=example,dc=com objectclass: top objectclass: idnsrecord idnsname: client1 Arecord: 192.0.2.1 Arecord: 192.0.2.2 Arecord: 192.0.2.3 AAAArecord: 2001:DB8::ABCD
Important
To edit DNS data or BIND configuration, always use the IdM tools described in this chapter.