Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Chapter 99. Updating DNS records systematically when using external DNS

When using external DNS, Identity Management (IdM) does not update the DNS records automatically after a change in the topology. You can update the DNS records managed by an external DNS service systematically, which reduces the need for manual DNS updates.

Updating DNS records removes old or invalid DNS records and adds new records. You must update DNS records after a change in your topology, for example:

  • After installing or uninstalling a replica
  • After installing a CA, DNS, KRA, or Active Directory trust on an IdM server

99.1. Updating external DNS records with GUI
Copiar enlace

If you have made any changes to your topology, you must update the external DNS records by using the external DNS GUI.

Procedure

  1. Display the records that you must update: 

    $ ipa dns-update-system-records --dry-run
 IPA DNS records:
   _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
   _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
[... output truncated ...]
    Copy to Clipboard Toggle word wrap
  2. Use the external DNS GUI to update the records.

99.2. Updating external DNS records using nsupdate
Copiar enlace

You can update external DNS records using the nsupdate utility. You can also add the command to a script to automate the process. To update with the nsupdate utility, you need to generate a file with the DNS records, and then proceed with either sending an nsupdate request secured using TSIG, or sending an nsupdate request secured using the GSS-TSIG.

Procedure

  • To generate a file with the DNS records for nsupdate, use the `ipa dns-update-system-records --dry-run command with the --out option. The --out option specifies the path of the file to generate: 

    $ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
 IPA DNS records:
   _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
   _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
[... output truncated ...]
    Copy to Clipboard Toggle word wrap

    The generated file contains the required DNS records in the format accepted by the nsupdate utility.

  • The generated records rely on:

    • Automatic detection of the zone in which the records are to be updated.

    • Automatic detection of the zone’s authoritative server.

      If you are using an atypical DNS setup or if zone delegations are missing, nsupdate might not be able to find the right zone and server. In this case, add the following options to the beginning of the generated file:

    • server: specify the server name or port of the authoritative DNS server to which nsupdate sends the records.

    • zone: specify the name of the zone where nsupdate places the records.

      Example 99.1. Generated record

      $ cat dns_records_file.nsupdate
zone example.com.
server 192.0.2.1
; IPA DNS records
update delete _kerberos-master._tcp.example.com. SRV
update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
[... output truncated ...]
      Copy to Clipboard Toggle word wrap

99.3. Sending an nsupdate request secured using TSIG
Copiar enlace

When sending a request using nsupdate, make sure you properly secure it. Transaction signature (TSIG) enables you to use nsupdate with a shared key.

Prerequisites

  • Your DNS server must be configured for TSIG.
  • Both the DNS server and its client must have the shared key.

Procedure

  • Run the nsupdate command and provide the shared secret using one of these options:

    • -k to provide the TSIG authentication key: 

      $ nsupdate -k tsig_key.file dns_records_file.nsupdate
      Copy to Clipboard Toggle word wrap

    • -y to generate a signature from the name of the key and from the Base64-encoded shared secret: 

      $ nsupdate -y algorithm:keyname:secret dns_records_file.nsupdate
      Copy to Clipboard Toggle word wrap

99.4. Sending an nsupdate request secured using GSS-TSIG
Copiar enlace

When sending a request using nsupdate, make sure you properly secure it. GSS-TSIG uses the GSS-API interface to obtain the secret TSIG key. GSS-TSIG is an extension to the TSIG protocol.

Prerequisites

  • Your DNS server must be configured for GSS-TSIG.
Note

This procedure assumes that Kerberos V5 protocol is used as the technology for GSS-API.

Procedure

  1. Authenticate with a principal allowed to update the records: 

    $ kinit principal_allowed_to_update_records@REALM
    Copy to Clipboard Toggle word wrap

  2. Run nsupdate with the -g option to enable the GSS-TSIG mode: 

    $ nsupdate -g dns_records_file.nsupdate
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba