Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Configuring External Services

Some environments have existing DNS, DHCP, and TFTP services and do not need to use the Satellite Server to provide these services. If you want to use external servers to provide DNS, DHCP, or TFTP, you can configure them for use with Satellite Server.

If you want to disable these services in Satellite in order to manage them manually, see Disabling DNS, DHCP, and TFTP for Unmanaged Networks for more information.

4.1. Configuring Satellite with External DNS

You can configure Satellite to use an external server to provide DNS service.

  1. Deploy a Red Hat Enterprise Linux Server and install the ISC DNS Service.

    Copy to Clipboard Toggle word wrap 
    # yum install bind bind-utils

  2. Create the configuration file for a domain.

    The following example configures a domain virtual.lan as one subnet 192.168.38.0/24, a security key named capsule, and sets forwarders to Google’s public DNS addresses (8.8.8.8 and 8.8.4.4). 192.168.38.2 is the IP address of a DNS server and 192.168.38.1 is the IP address of a Satellite Server or a Capsule Server.

    Copy to Clipboard Toggle word wrap 
    # cat /etc/named.conf
include "/etc/rndc.key";

controls  {
    inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "capsule"; };
    inet 192.168.38.2 port 953 allow { 192.168.38.1; 192.168.38.2; } keys { "capsule"; };
};

options  {
    directory "/var/named";
    forwarders { 8.8.8.8; 8.8.4.4; };
};

include "/etc/named.rfc1912.zones";

zone "38.168.192.in-addr.arpa" IN {
    type master;
    file "dynamic/38.168.192-rev";
    update-policy {
        grant "capsule" zonesub ANY;
    };
};

zone "virtual.lan" IN {
    type master;
    file "dynamic/virtual.lan";
    update-policy {
        grant "capsule" zonesub ANY;
    };
};

    The inet line must be entered as one line in the configuration file.

  3. Create a key file.

    Copy to Clipboard Toggle word wrap 
    # ddns-confgen -k capsule

    This command can take a long time to complete.

  4. Copy and paste the output from the key section into a separate file called /etc/rndc.key.

    Copy to Clipboard Toggle word wrap 
    # cat /etc/rndc.key
key "capsule" {
        algorithm hmac-sha256;
        secret "GeBbgGoLedEAAwNQPtPh3zP56MJbkwM84UJDtaUS9mw=";
};
    Important

    This is the key used to change DNS server configuration. Only the root user should read and write to it.

  5. Create zone files.

    Copy to Clipboard Toggle word wrap 
    # cat /var/named/dynamic/virtual.lan
$ORIGIN .
$TTL 10800      ; 3 hours
virtual.lan             IN SOA  service.virtual.lan. root.virtual.lan. (
                                9          ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      service.virtual.lan.
$ORIGIN virtual.lan.
$TTL 86400      ; 1 day
capsule                 A       192.168.38.1
service                 A       192.168.38.2

  6. Create the reverse zone file.

    Copy to Clipboard Toggle word wrap 
    # cat /var/named/dynamic/38.168.192-rev
$ORIGIN .
$TTL 10800      ; 3 hours
38.168.192.in-addr.arpa IN SOA  service.virtual.lan. root.38.168.192.in-addr.arpa. (
                                4          ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      service.virtual.lan.
$ORIGIN 38.168.192.in-addr.arpa.
$TTL 86400      ; 1 day
1                PTR     capsule.virtual.lan.
2                PTR     service.virtual.lan.

    There should be no extra non-ASCII characters.

4.2. Verifying and Starting the DNS Service

  1. Validate the syntax.

    Copy to Clipboard Toggle word wrap 
    # named-checkconf -z /etc/named.conf

  2. Start the server.

    Copy to Clipboard Toggle word wrap 
    # systemctl restart named

  3. Add a new host.

    The following uses the example host 192.168.38.2. You should change this to suit your environment.

    Copy to Clipboard Toggle word wrap 
    # echo -e "server 192.168.38.2\n \
update add aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key

  4. Test that the DNS service can resolve the new host.

    Copy to Clipboard Toggle word wrap 
    # nslookup aaa.virtual.lan 192.168.38.2

  5. If necessary, delete the new entry.

    Copy to Clipboard Toggle word wrap 
    # echo -e "server 192.168.38.2\n \
update delete aaa.virtual.lan 3600 IN A 192.168.38.10\n \
send\n" | nsupdate -k /etc/rndc.key

  6. Configure the firewall for external access to the DNS service (UDP and TCP on port 53).

    Copy to Clipboard Toggle word wrap 
    # firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
&& firewall-cmd --runtime-to-permanent

4.3. Configuring Satellite Server with External DHCP

You can use this section to configure your Red Hat Satellite Server to work with an external DHCP server.

To configure the DHCP server and share the DHCP configuration and lease files

  1. Deploy a Red Hat Enterprise Linux Server and install the ISC DHCP Service and Berkeley Internet Name Domain (BIND).

    Copy to Clipboard Toggle word wrap 
    # yum install dhcp bind

  2. Generate a security token in an empty directory.

    Copy to Clipboard Toggle word wrap 
    # dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key

    The above command can take a long time, for less-secure proof-of-concept deployments you can use a non-blocking random number generator.

    Copy to Clipboard Toggle word wrap 
    # dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key

    This creates the key pair in two files in the current directory.

  3. Copy the secret hash from the key.

    Copy to Clipboard Toggle word wrap 
    # cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2

  4. Edit the dhcpd configuration file for all of the subnets and add the key as in the example:

    Copy to Clipboard Toggle word wrap 
    # cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm HMAC-MD5;
	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;
  5. Delete the two key files from the directory where you created them.

  6. Define each subnet on the Satellite Server.

    It is recommended to set up a lease range and reservation range separately to prevent conflicts. For example, the lease range is 192.168.38.10 to 192.168.38.100 so the reservation range (defined in the Satellite web UI) is 192.168.38.101 to 192.168.38.250. Do not set DHCP Capsule for the defined Subnet yet.

  7. Configure the firewall for external access to the DHCP server.

    Copy to Clipboard Toggle word wrap 
    # firewall-cmd --add-service dhcp \
&& firewall-cmd --runtime-to-permanent

  8. Determine the UID and GID numbers of the foreman user on the Satellite Server.

    Copy to Clipboard Toggle word wrap 
    # id -u foreman
993
# id -g foreman
990

  9. Create the same user and group with the same IDs on the DHCP server.

    Copy to Clipboard Toggle word wrap 
    # groupadd -g 990 foreman
# useradd -u 993 -g 990 -s /sbin/nologin foreman

  10. To make the configuration files readable, restore the read and execute flags.

    Copy to Clipboard Toggle word wrap 
    # chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

  11. Start the DHCP service.

    Copy to Clipboard Toggle word wrap 
    # systemctl start dhcpd

  12. Export the DHCP configuration and leases files using NFS.

    Copy to Clipboard Toggle word wrap 
    # yum install nfs-utils
# systemctl enable rpcbind nfs-server
# systemctl start rpcbind nfs-server nfs-lock nfs-idmapd

  13. Create the DHCP configuration and leases files to be exported using NFS.

    Copy to Clipboard Toggle word wrap 
    # mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp

  14. Add the following line to the /etc/fstab file to create mount points for the newly created directories.

    Copy to Clipboard Toggle word wrap 
    /var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

  15. Mount the file systems in /etc/fstab.

    Copy to Clipboard Toggle word wrap 
    # mount -a

  16. Ensure the following lines are present in /etc/exports:

    Copy to Clipboard Toggle word wrap 
    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

  17. Reload the NFS server.

    Copy to Clipboard Toggle word wrap 
    # exportfs -rva

  18. Configure the firewall for the DHCP omapi port 7911 for the Satellite Server.

    Copy to Clipboard Toggle word wrap 
    # firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --runtime-to-permanent

  19. If required, configure the firewall for external access to NFS.

    Clients are configured using NFSv3.

    • Use the firewalld daemon’s NFS service to configure the firewall.

      Copy to Clipboard Toggle word wrap 
      # firewall-cmd --zone public --add-service mountd \
&& firewall-cmd --zone public --add-service rpc-bind \
&& firewall-cmd --zone public --add-service nfs \
&& firewall-cmd --runtime-to-permanent

To configure the Satellite Server

  1. Install the NFS client.

    Copy to Clipboard Toggle word wrap 
    # yum install nfs-utils

  2. Create the DHCP directories for NFS.

    Copy to Clipboard Toggle word wrap 
    # mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

  3. Change the file owner.

    Copy to Clipboard Toggle word wrap 
    # chown -R foreman-proxy /mnt/nfs

  4. Verify communication with the NFS server and RPC communication paths.

    Copy to Clipboard Toggle word wrap 
    # showmount -e your_DHCP_server_FQDN
# rpcinfo -p your_DHCP_server_FQDN

  5. Add the following lines to the /etc/fstab file:

    Copy to Clipboard Toggle word wrap 
    your_DHCP_server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

your_DHCP_server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

  6. Mount the file systems on /etc/fstab.

    Copy to Clipboard Toggle word wrap 
    # mount -a

  7. Read the relevant files.

    Copy to Clipboard Toggle word wrap 
    # su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit

  8. Run the satellite-installer script to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file.

    Copy to Clipboard Toggle word wrap 
    # satellite-installer --foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911 \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-server=your_DHCP_server_FQDN

  9. Restart the foreman-proxy service.

    Copy to Clipboard Toggle word wrap 
    # systemctl restart foreman-proxy
  10. Log in to the Satellite Server web UI.
  11. Go to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the Actions drop-down list, select Refresh. The DHCP feature should appear.
  12. Associate the DHCP service with the appropriate subnets and domain.

4.4. Configuring Satellite Server with External TFTP

Use this procedure to configure your Satellite Server with external TFTP services.

You can use TFTP services through NAT, for more information see Using TFTP services through NAT in the Provisioning guide.

Before You Begin

Configure Satellite Server with External TFTP

  1. Install and enable the TFTP server.

    Copy to Clipboard Toggle word wrap 
    # yum install tftp-server syslinux

  2. Enable and activate the tftp.socket unit.

    Copy to Clipboard Toggle word wrap 
    # systemctl enable tftp.socket
# systemctl start tftp.socket

  3. Configure the PXELinux environment.

    Copy to Clipboard Toggle word wrap 
    # mkdir -p /var/lib/tftpboot/{boot,pxelinux.cfg,grub2}
# cp /usr/share/syslinux/{pxelinux.0,menu.c32,chain.c32} \
/var/lib/tftpboot/

  4. Restore SELinux file contexts.

    Copy to Clipboard Toggle word wrap 
    # restorecon -RvF /var/lib/tftpboot/

  5. Create the TFTP directory to be exported using NFS.

    Copy to Clipboard Toggle word wrap 
    # mkdir -p /exports/var/lib/tftpboot

  6. Add the newly created mount point to the /etc/fstab file.

    Copy to Clipboard Toggle word wrap 
    /var/lib/tftpboot /exports/var/lib/tftpboot none bind,auto 0 0

  7. Mount the file systems in /etc/fstab.

    Copy to Clipboard Toggle word wrap 
    # mount -a

  8. Ensure the following lines are present in /etc/exports:

    Copy to Clipboard Toggle word wrap 
    /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)
     Copy to Clipboard Toggle word wrap 
    /exports/var/lib/tftpboot 192.168.38.1(rw,async,no_root_squash,no_subtree_check,nohide)

    The first line is common to the DHCP configuration and therefore should already be present if the previous procedure was completed on this system.

  9. Reload the NFS server.

    Copy to Clipboard Toggle word wrap 
    # exportfs -rva

4.4.1. Configuring the Firewall for External Access to TFTP

  1. Configure the firewall (UDP on port 69).

    Copy to Clipboard Toggle word wrap 
    # firewall-cmd --add-port="69/udp" \
&& firewall-cmd --runtime-to-permanent

4.5. Configuring Satellite or Capsule with External IdM DNS

Red Hat Satellite can be configured to use a Red Hat Identity Management (IdM) server to provide the DNS service. Two methods are described here to achieve this, both using a transaction key. For more information on Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.

The first method is to install the IdM client which automates the process with the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. This method requires installing the IdM client on the Satellite Server or Capsule’s base system and having an account created by the IdM server administrator for use by the Satellite administrator. See Section 4.5.1, “Configuring Dynamic DNS Update with GSS-TSIG Authentication” to use this method.

The second method, secret key transaction authentication for DNS (TSIG), uses an rndc.key for authentication. It requires root access to the IdM server to edit the BIND configuration file, installing the BIND utility on the Satellite Server’s base system, and coping the rndc.key to between the systems. This technology is defined in RFC2845. See Section 4.5.2, “Configuring Dynamic DNS Update with TSIG Authentication” to use this method.

Note

You are not required to use Satellite to manage DNS. If you are using the Realm enrollment feature of Satellite, where provisioned hosts are enrolled automatically to IdM, then the ipa-client-install script creates DNS records for the client. The following procedure and Realm enrollment are therefore mutually exclusive. For more information on configuring Realm enrollment, see External Authentication for Provisioned Hosts in Administering Red Hat Satellite.

Determining where to install the IdM Client

When Satellite Server wants to add a DNS record for a host, it first determines which Capsule is providing DNS for that domain. It then communicates with the Capsule and adds the record. The hosts themselves are not involved in this process. This means you should install and configure the IdM client on the Satellite or Capsule that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.

4.5.1. Configuring Dynamic DNS Update with GSS-TSIG Authentication

In this example, Satellite Server has the following settings.

Host name

satellite.example.com

Network

192.168.55.0/24

The IdM server has the following settings.

Host name

idm1.example.com

Domain name

example.com

Before you Begin.

  1. Confirm the IdM server is deployed and the host-based firewall has been configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
  2. Obtain an account on the IdM server with permissions to create zones on the IdM server.
  3. Confirm if the Satellite or an external Capsule is managing DNS for a domain.
  4. Confirm that the Satellite or external Capsule are currently working as expected.
  5. In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
  6. Make a backup of the answer file in case you have to revert the changes. See Specifying Installation Options for more information.

Create a Kerberos Principal on the IdM Server.

  1. Ensure you have a Kerberos ticket.

    Copy to Clipboard Toggle word wrap 
    # kinit idm_user

    Where idm_user is the account created for you by the IdM administrator.

  2. Create a new Kerberos principal for the Satellite or Capsule to use to authenticate to the IdM server.

    Copy to Clipboard Toggle word wrap 
    # ipa service-add capsule/satellite.example.com

Install and Configure the IdM Client.

Do this on the Satellite or Capsule Server that is managing the DNS service for a domain.

  1. Install the IdM client package.

    Copy to Clipboard Toggle word wrap 
    # yum install ipa-client

  2. Configure the IdM client by running the installation script and following the on-screen prompts.

    Copy to Clipboard Toggle word wrap 
    # ipa-client-install

  3. Ensure you have a Kerberos ticket.

    Copy to Clipboard Toggle word wrap 
    # kinit admin

  4. Remove any preexisting keytab.

    Copy to Clipboard Toggle word wrap 
    # rm /etc/foreman-proxy/dns.keytab

  5. Get the keytab created for this system.

    Copy to Clipboard Toggle word wrap 
    # ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab
    Note

    When adding a keytab to a standby system with the same host name as the original system in service, add the r option to prevent generating new credentials and rendering the credentials on the original system invalid.

  6. Set the group and owner for the keytab file to foreman-proxy as follows.

    Copy to Clipboard Toggle word wrap 
    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

  7. If required, check the keytab is valid.

    Copy to Clipboard Toggle word wrap 
    # kinit -kt /etc/foreman-proxy/dns.keytab \
capsule/satellite.example.com@EXAMPLE.COM

Configure DNS Zones in the IdM web UI.

  1. Create and configure the zone to be managed:

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Select Add and enter the zone name. In this example, example.com.
    3. Click Add and Edit.

    4. On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list.

      Copy to Clipboard Toggle word wrap 
      grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
    5. Ensure Dynamic update is set to True.
    6. Enable Allow PTR sync.
    7. Select Save to save the changes.

  2. Create and Configure the reverse zone.

    1. Navigate to Network Services > DNS > DNS Zones.
    2. Select Add.
    3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
    4. Click Add and Edit.

    5. On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list:

      Copy to Clipboard Toggle word wrap 
      grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
    6. Ensure Dynamic update is set to True.
    7. Select Save to save the changes.

Configure the Satellite or Capsule Server Managing the DNS Service for the Domain.

  • On a Satellite Server’s Base System.

    Copy to Clipboard Toggle word wrap 
    satellite-installer --scenario satellite \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

  • On a Capsule Server’s Base System.

    Copy to Clipboard Toggle word wrap 
    satellite-installer --scenario capsule \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

Restart the Satellite or Capsule’s Proxy Service.

Copy to Clipboard Toggle word wrap 
# systemctl restart foreman-proxy

Update the Configuration in Satellite web UI.

After you have run the installation script to make any changes to a Capsule, instruct Satellite to scan the configuration on each affected Capsule as follows:

  1. Navigate to Infrastructure > Capsules.
  2. For each Capsule to be updated, from the Actions drop-down menu, select Refresh.

  3. Configure the domain:

    1. Go to Infrastructure > Domains and select the domain name.
    2. On the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.

  4. Configure the subnet:

    1. Go to Infrastructure > Subnets and select the subnet name.
    2. On the Subnet tab, set IPAM to None.
    3. On the Domains tab, ensure the domain to be managed by the IdM server is selected.
    4. On the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
    5. Click Submit to save the changes.

4.5.2. Configuring Dynamic DNS Update with TSIG Authentication

In this example, Satellite Server has the following settings.

IP address

192.168.25.1

Host name

satellite.example.com

The IdM server has the following settings.

Host name

idm1.example.com

IP address

192.168.25.2

Domain name

example.com

Before you Begin

  1. Confirm the IdM Server is deployed and the host-based firewall has been configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
  2. Obtain root user privileges on the IdM server.
  3. Confirm if the Satellite or an external Capsule is managing DNS for a domain.
  4. Confirm that the Satellite or external Capsule are currently working as expected.
  5. In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
  6. Make a backup of the answer file in case you have to revert the changes. See Specifying Installation Options for more information.

Enabling External Updates to the DNS Zone in the IdM Server

  1. On the IdM Server, add the following to the top of the /etc/named.conf file.

    Copy to Clipboard Toggle word wrap 
    // This was added to allow Satellite Server at 192.168.25.1 to make DNS updates.
########################################################################
include "/etc/rndc.key";
controls  {
inet 192.168.25.2 port 953 allow { 192.168.25.1; } keys { "rndc-key"; };
};
########################################################################

  2. Reload named to make the changes take effect.

    Copy to Clipboard Toggle word wrap 
    # systemctl reload named

  3. In the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone. On the Settings tab:

    1. Add the following in the BIND update policy box.

      Copy to Clipboard Toggle word wrap 
      grant "rndc-key" zonesub ANY;
    2. Ensure Dynamic update is set to True.
    3. Click Update to save the changes.

  4. Copy the /etc/rndc.key file from the IdM server to Satellite’s base system as follows.

    Copy to Clipboard Toggle word wrap 
    # scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key

  5. Ensure that the ownership, permissions, and SELinux context are correct.

    Copy to Clipboard Toggle word wrap 
    # restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key

  6. On Satellite Server, run the installation script as follows to use the external DNS server.

    Copy to Clipboard Toggle word wrap 
    # satellite-installer --scenario satellite \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="192.168.25.2" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

Testing External Updates to the DNS Zone in the IdM Server

  1. Install bind-utils for testing with nsupdate.

    Copy to Clipboard Toggle word wrap 
    # yum install bind-utils

  2. Ensure the key in the /etc/rndc.key file on Satellite Server is the same one as used on the IdM server.

    Copy to Clipboard Toggle word wrap 
    key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};

  3. On Satellite Server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1.

    Copy to Clipboard Toggle word wrap 
    # echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

  4. On Satellite Server, test the DNS entry.

    Copy to Clipboard Toggle word wrap 
    # nslookup test.example.com 192.168.25.1
Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20
  5. To view the entry in the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone and search for the host by name.

  6. If resolved successfully, remove the test DNS entry.

    Copy to Clipboard Toggle word wrap 
    # echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

  7. Confirm that the DNS entry was removed.

    Copy to Clipboard Toggle word wrap 
    # nslookup test.example.com 192.168.25.1

    The above nslookup command fails and outputs the SERVFAIL error message if the record was successfully deleted.

4.5.3. Reverting to Internal DNS Service

To revert to using Satellite Server and Capsule Server as DNS providers, follow this procedure.

On the Satellite or Capsule Server that is to manage DNS for the domain.

  • If you backed up the answer file before the change to external DNS, restore the answer file and then run the installation script:

    Copy to Clipboard Toggle word wrap 
    # satellite-installer

  • If you do not have a suitable backup of the answer file, back up the answer file now, and then run the installation script on Satellite and Capsules as described below.

    See Specifying Installation Options for more information on the answer file.

To configure Satellite or Capsule as DNS server without using an answer file.

Copy to Clipboard Toggle word wrap 
# satellite-installer \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="127.0.0.1"  \
--foreman-proxy-dns-tsig-principal="foremanproxy/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab

See Configuring DNS, DHCP, and TFTP on Capsule Server for more information.

Update the Configuration in Satellite web UI.

After you have run the installation script to make any changes to a Capsule, instruct Satellite to scan the configuration on each affected Capsule as follows:

  1. Navigate to Infrastructure > Capsules.
  2. For each Capsule to be updated, from the Actions drop-down menu, select Refresh.

  3. Configure the domain:

    1. Go to Infrastructure > Domains and select the domain name.
    2. On the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.

  4. Configure the subnet:

    1. Go to Infrastructure > Subnets and select the subnet name.
    2. On the Subnet tab, set IPAM to DHCP or Internal DB.
    3. On the Domains tab, ensure the domain to be managed by the Satellite or Capsule is selected.
    4. On the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
    5. Click Submit to save the changes.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.