Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 29. Securing DNS with DoT in IdM

You can secure DNS traffic in Identity Management (IdM) deployments by enabling encrypted DNS (eDNS) that uses DNS-over-TLS (DoT). This ensures that all DNS queries and responses between DNS clients and IdM DNS servers are encrypted. You can deploy IdM with DoT by using the IdM CLI commands. Starting with RHEL 9.7, you can also use the ansible-freeipa package to do the deployment.

Important

Encrypted DNS in IdM is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

29.1. Encrypted DNS in IdM
Copiar enlace

Encrypted DNS (eDNS), using DNS over TLS (DoT), encrypts all DNS queries and responses between IdM DNS clients and servers. IdM configures the unbound service as a local caching resolver on clients and uses the BIND service to receive DoT requests on servers.

By default, IdM uses the relaxed DNS policy, which allows fallback to unencrypted DNS if DoT is unavailable. When using the relaxed policy, IdM clients and replicas automatically detect DoT-capable DNS servers during installation.

For encrypted-only communication, you can configure the --dns-policy enforced option. This setting strictly requires DoT for all DNS resolution and rejects any unencrypted requests. Before installation, you must manually preconfigure both client and replica systems to trust the IdM server’s DoT certificate and use it for eDNS resolution.

IdM provides an optional integrated DNS server. When you use the integrated DNS server, IdM automatically manages SRV and other service records as you modify the topology. If you require advanced features such as DNS views, you can manage your DNS records manually on an external DNS server. The integrated IdM DNS is not a general-purpose DNS solution.

When setting up eDNS for your IdM servers, replicas, and clients, you can either use the IdM Certificate Authority (CA) service for certificate management or provide your own certificates. If you don’t provide a certificate, IdM CA automatically generates and assigns TLS certificates for the DNS service.

29.2. Installing an IdM server configured to use eDNS
Copiar enlace

You can install an IdM server with DoT enabled by performing a non-interactive installation using the ipa-server-install utility. This procedure describes how to configure DoT with the enforced policy using the integrated DNS service. If you require the relaxed policy instead, you can skip the steps for pre-configuring clients and replicas for DoT exclusively, as the IdM server automatically discovers them.

You can use a certificate issued by the integrated IdM Certificate Authority (CA) or provide a custom certificate issued by an external CA. If you do not provide a certificate, the IdM CA automatically issues a DoT certificate during the installation.

Prerequisites

  • Review the steps outlined in Preparing the system for IdM server installation.
  • For enforced DoT, complete the steps in Configuring client and replica systems to use DoT exclusively.

  • Ensure the following packages are installed:

    • ipa-server
    • ipa-server-dns
    • ipa-server-encrypted-dns

    • ipa-client-encrypted-dns

      Important

      The ipa-server-encrypted-dns package requires a newer version of the bind-utils package than the version installed by default on RHEL. Run sudo dnf install ipa-server ipa-server-encrypted-dns --allowerasing to allow the package manager to remove the older bind-utils package and install the version required by ipa-server-encrypted-dns.

Procedure

  1. Add the dns-over-tls service to the system firewall to open port 853/TCP for DoT traffic: 

    # firewall-cmd --add-service=dns-over-tls
    Copy to Clipboard Toggle word wrap

  2. Optional: To use a custom PEM-formatted certificate and key for DoT issued by an external certificate authority, create the files: 

    $ openssl req \
  -newkey rsa:2048 \
  -nodes \
  -keyout /etc/pki/tls/certs/privkey.pem \
  -x509 \
  -days 36500 \
  -out /etc/pki/tls/certs/certificate.pem \
  -subj "/C=<country_code>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<idm_server_fqdn>/emailAddress=<email>" && \
  chown named:named /etc/pki/tls/certs/privkey.pem /etc/pki/tls/certs/certificate.pem
    Copy to Clipboard Toggle word wrap
  3. Install the IdM server with integrated DNS:
Note

If you do not strictly require DoT, you can omit the --dns-policy option. The installer then uses the default relaxed policy.

  • To install the IdM server with externally issued keys and certificates, specify the certificate and key paths: 

    # ipa-server-install --setup-dns --dns-over-tls --dot-forwarder "<server_ip>#<dns_server_hostname>" --dns-policy enforced --dns-over-tls-cert /etc/pki/tls/certs/certificate.pem --dns-over-tls-key /etc/pki/tls/certs/privkey.pem --no-dnssec-validation --auto-reverse --domain <domain_name> --realm <realm_name> --hostname <idm_server_fqdn> -p <admin_password> -a <admin_password> -U
    Copy to Clipboard Toggle word wrap

  • To install the IdM server with the integrated IdM CA, run the following command: 

    # ipa-server-install --setup-dns --dns-over-tls --dot-forwarder "<server_ip>#<dns_server_hostname>" --dns-policy enforced --no-dnssec-validation --auto-reverse --domain <domain_name> --realm <realm_name> --hostname <idm_server_fqdn> -p <admin_password> -a <admin_password> -U
    Copy to Clipboard Toggle word wrap

Troubleshooting

  1. Enable detailed logging for the unbound service: 

    # unbound-control verbosity 3
    Copy to Clipboard Toggle word wrap

  2. Restart the unbound service to apply the updated configuration: 

    # systemctl restart unbound
    Copy to Clipboard Toggle word wrap

  3. Monitor real-time logs of the unbound service: 

    $ journalctl -u unbound -f
    Copy to Clipboard Toggle word wrap

29.3. Configuring client and replica systems to use DoT exclusively
Copiar enlace

To enforce DoT communication, you must configure clients and replica systems to use a DoT-capable resolver. You must update the DNS settings in NetworkManager to enable eDNS communication. This configuration is only required when the --dns-policy is set to enforced.

Prerequisites

  • Review the steps outlined in Preparing the system for IdM client installation and Preparing the system for an IdM replica installation.

  • Ensure the following packages are installed:

    • ipa-server-encrypted-dns

    • ipa-client-encrypted-dns

      Important

      The ipa-server-encrypted-dns package requires a newer version of the bind-utils package than the version installed by default on RHEL. Run sudo dnf install ipa-server ipa-server-encrypted-dns --allowerasing to allow the package manager to remove the older bind-utils package and install the version required by ipa-server-encrypted-dns.

Procedure

  1. Copy the IdM server’s DoT certificate to the client and replica system. 

    $ scp /etc/pki/tls/certs/bind_dot.crt <username>@<ip>:/etc/pki/ca-trust/source/anchors/
    Copy to Clipboard Toggle word wrap

  2. Update the system-wide trust store configuration: 

    # update-ca-trust extract
    Copy to Clipboard Toggle word wrap

  3. On the client and replica system, install the dnsconfd package: 

    # dnf install dnsconfd
    Copy to Clipboard Toggle word wrap

  4. Generate the default configuration files for DoT on your system: 

    dnsconfd config install
    Copy to Clipboard Toggle word wrap

  5. Enable the dnsconfd service: 

    # systemctl enable --now dnsconfd
    Copy to Clipboard Toggle word wrap

  6. Reload NetworkManager to apply the configuration: 

    # nmcli g reload
    Copy to Clipboard Toggle word wrap

  7. Configure the system’s DNS settings in NetworkManager. 

    # nmcli device modify <device_name> ipv4.dns dns+tls://<idm_server_ip>

Connection successfully reapplied to device '<device_name>'.
    Copy to Clipboard Toggle word wrap

29.4. Installing an IdM client configured to use eDNS
Copiar enlace

You can install an IdM client with DNS-over-TLS (DoT) enabled by performing the non-interactive installation. This setup applies the enforced DoT policy and requires the client to use eDNS queries exclusively.

Prerequisites

Procedure

  • Install an IdM client with DoT enabled: 

    # ipa-client-install --domain <domain_name> --dns-over-tls -p admin --password <admin_password> -U
    Copy to Clipboard Toggle word wrap

Verification

  1. On the IdM client, review cat /etc/unbound/unbound.conf: 

    $ cat /etc/unbound/unbound.conf
    Copy to Clipboard Toggle word wrap
  2. Verify that the configuration contains the IP address and hostname of the IdM server.

Troubleshooting

  1. On the IdM client, run a DNS query to trigger traffic: 

    $ dig <domain_name>
    Copy to Clipboard Toggle word wrap
  2. Review the logs on the IdM server to verify that the query was routed through DoT.

29.5. Installing an IdM replica configured to use eDNS
Copiar enlace

You can install an IdM replica with eDNS in an environment where the IdM server has DoT enabled.

When you install the replica with the integrated DNS service, the replica uses the same configuration as the IdM server. It runs BIND to handle incoming DNS queries, including encrypted queries, and uses unbound for outgoing encrypted DNS traffic.

When you install the replica without the integrated DNS service, the replica inherits the client-side configuration. It uses unbound with a DoT forwarder to send encrypted DNS queries to the IdM DNS server.

Prerequisites

Procedure

  1. Add the dns-over-tls service to the system firewall to open port 853/TCP for DoT traffic: 

    # firewall-cmd --add-service=dns-over-tls
    Copy to Clipboard Toggle word wrap

  2. Depending on whether you want the replica to manage DNS records, choose one of the following:

    • To install an IdM replica with integrated DNS: 

      # ipa-replica-install --setup-dns --dns-over-tls --dot-forwarder <server_ip>#<dns_server_hostname>
      Copy to Clipboard Toggle word wrap

    • To install an IdM replica without integrated DNS: 

      # ipa-replica-install --dns-over-tls
      Copy to Clipboard Toggle word wrap

Verification

  • On the IdM server, list all replicas in the topology: 

    # ipa-replica-manage list-ruv
    Copy to Clipboard Toggle word wrap

29.6. Configuring an existing IdM DNS server to use eDNS
Copiar enlace

You can enable DNS-over-TLS (DoT) on an existing Identity Management (IdM) server by reconfiguring the integrated DNS service. Use the ipa-dns-install utility with DoT-specific options to update the DNS configuration without reinstalling the server.

Prerequisites

  • You have root access to the IdM server.
  • DNS is already installed on the IdM server.

Procedure

  1. Optional: Verify that your IdM server uses integrated DNS: 

    $ ipa server-role-find --role 'DNS server'
---------------------
1 server role matched
---------------------
  Server name: server.idm.example.com
  Role name: DNS server
  Role status: enabled
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

  2. Install the ipa-server-encrypted-dns package on your IdM server: 

    # dnf install ipa-server-encrypted-dns
    Copy to Clipboard Toggle word wrap

  3. Update the integrated DNS service to enable DoT and configure DoT policy and forwarders: 

    # ipa-dns-install --dns-over-tls --dot-forwarder "<server_ip>#<dns_server_hostname>" --dns-policy enforced -U
    Copy to Clipboard Toggle word wrap

    For a complete list of options see the ipa-dns-install(1) man page on your system.

  4. Add the dns-over-tls service to the system firewall to open port 853/TCP for DoT traffic: 

    # firewall-cmd --add-service=dns-over-tls
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the firewall allows DoT traffic: 

    # firewall-cmd --list-services
    Copy to Clipboard Toggle word wrap

Learn about the available configuration options for enabling eDNS in your IdM deployment. You can use the same options to enable eDNS during a new IdM server installation using the ipa-server-install or to modify an existing installation using the ipa-dns-install command.

  • --dns-over-tls enables DoT
  • --dot-forwarder specifies upstream DoT servers using the --dot-forwarder <server_ip_1><dns_server_hostname_1> --dot-forwarder <server_ip_2><dns_server_hostname_2> format
  • --dns-over-tls-key and --dns-over-tls-cert to configure custom keys and certificates

  • --dns-policy sets the DNS security policy

    • --dns-policy=relaxed allows both encrypted (DoT) and unencrypted DNS queries. The system attempts to use DoT but falls back to unencrypted DNS if DoT is unavailable. This is the default policy.
    • --dns-policy=enforced requires only encrypted DNS communication. The system strictly enforces DoT, and rejects any DNS resolution that does not support encryption, including discovery from IdM clients and replicas.

You can use the ipaserver role available in the ansible-freeipa package to install an Identity Management (IdM) server with DNS-over-TLS (DoT) enabled.

Important

You can select either the enforced or relaxed policy. By default, the installer uses the relaxed policy, which attempts DoT but allows fallback to standard, unencrypted DNS if a secure connection cannot be established. To apply the enforced policy, set the ipaserver_dns_policy variable to enforced in the vars section of the Ansible playbook.

For the configuration of DoT, you can use a certificate issued by the integrated IdM Certificate Authority (CA) or provide a custom certificate issued by an external CA. If you do not provide a certificate, the IdM CA automatically issues a DoT certificate during the installation.

Prerequisites

Procedure

  1. Optional: To use a custom PEM-formatted certificate and key for DoT issued by an external certificate authority:

    1. SSH to the host where you are going to install the IdM server: 

      $ ssh root@server.idm.example.com
      Copy to Clipboard Toggle word wrap

    2. Create the two files and assign ownership to the named daemon: 

      # openssl req \
-newkey rsa:2048 \
-nodes \
-keyout /etc/pki/tls/certs/privkey.pem \
-x509 \
-days 36500 \
-out /etc/pki/tls/certs/certificate.pem \
-subj "/C=<country_code>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<idm_server_fqdn>/emailAddress=<email>" && \
chown named:named /etc/pki/tls/certs/privkey.pem /etc/pki/tls/certs/certificate.pem
      Copy to Clipboard Toggle word wrap

    3. Exit the SSH session on the IdM server: 

      # exit
      Copy to Clipboard Toggle word wrap

  2. On the Ansible controller, create a playbook file named install-server-integrated-ca.yml with the instructions to install an IdM server with an integrated IdM CA: 

    ---
- name: Playbook to configure IPA server
  hosts: ipaserver
  become: true
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  vars:
    ipaserver_domain: idm.example.com
    ipaserver_realm: IDM.EXAMPLE.COM
    ipaserver_hostname: server.idm.example.com
    ipa_admin_password: "{{ vault_admin_password }}"
    ipadm_password: "{{ vault_dm_password }}"
    ipaserver_setup_dns: true
    ipaserver_dot_forwarders:
    - "<server_ip>#<dns_server_hostname>"
    ipaserver_dns_over_tls: true
    ipaserver_auto_reverse: true

  roles:
  - role: ipaserver
    Copy to Clipboard Toggle word wrap

    If you are using a custom PEM-formatted certificate and key for DoT issued by an external certificate authority, add the following in the vars section: 

    ipaserver_dns_over_tls_cert: /etc/pki/tls/certs/certificate.pem
ipaserver_dns_over_tls_key: /etc/pki/tls/certs/privkey.pem
    Copy to Clipboard Toggle word wrap

  3. Run the Ansible playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-server-integrated-ca.yml
    Copy to Clipboard Toggle word wrap

Troubleshooting

  1. SSH to the IdM server: 

    # ssh root@server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Enable detailed logging for the unbound service: 

    # unbound-control verbosity 3
    Copy to Clipboard Toggle word wrap

  3. Restart the unbound service to apply the updated configuration: 

    # systemctl restart unbound
    Copy to Clipboard Toggle word wrap

  4. Monitor real-time logs of the unbound service: 

    $ journalctl -u unbound -f
    Copy to Clipboard Toggle word wrap

You can use the ipaserver role available in the ansible-freeipa package to install an Identity Management (IdM) server with DNS-over-TLS (DoT) enabled.

Important

You can select either the enforced or relaxed policy. By default, the installer uses the relaxed policy, which attempts DoT but allows fallback to standard, unencrypted DNS if a secure connection cannot be established. To apply the enforced policy, set the ipaserver_dns_policy variable to enforced in the vars section of the Ansible playbook.

You can use a certificate issued by the integrated IdM Certificate Authority (CA) or provide a custom certificate issued by an external CA. If you do not provide a certificate, the IdM CA automatically issues a DoT certificate during the installation.

Prerequisites

Procedure

  1. Optional: To use a custom PEM-formatted certificate and key for DoT issued by an external certificate authority:

    1. SSH to the host where you are going to install the IdM server: 

      $ ssh root@server.idm.example.com
      Copy to Clipboard Toggle word wrap

    2. Create the two files and assign ownership to the named daemon: 

      # openssl req \
-newkey rsa:2048 \
-nodes \
-keyout /etc/pki/tls/certs/privkey.pem \
-x509 \
-days 36500 \
-out /etc/pki/tls/certs/certificate.pem \
-subj "/C=<country_code>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<idm_server_fqdn>/emailAddress=<email>" && \
chown named:named /etc/pki/tls/certs/privkey.pem /etc/pki/tls/certs/certificate.pem
      Copy to Clipboard Toggle word wrap

    3. Exit the SSH session on the IdM server: 

      # exit
      Copy to Clipboard Toggle word wrap

  2. On the Ansible controller, create a playbook file named install-server-external-ca-step1.yml with the instructions to install an IdM server with an external CA: 

    ---
- name: Playbook to configure IPA server Step 1: generate CSR for IdM external CA setup
  hosts: ipaserver
  become: true
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  vars:
    ipaserver_domain: idm.example.com
    ipaserver_realm: IDM.EXAMPLE.COM
    ipaserver_hostname: server.idm.example.com
    ipaadmin_password: "{{ vault_admin_password }}"
    ipadm_password: "{{ vault_dm_password }}"
    ipaserver_setup_dns: true
    ipaserver_dot_forwarders:
    - "<server_ip>#<dns_server_hostname>"
    ipaserver_external_ca: true
    ipaserver_dns_over_tls: true
    ipaserver_no_dnssec_validation: true
    ipaserver_auto_reverse: true

  roles:
  - role: ipaserver

  post_tasks:
  - name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}"
    fetch:
      src: /root/ipa.csr
      dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}"
      flat: true
    Copy to Clipboard Toggle word wrap

    If you are using a custom PEM-formatted certificate and key for DoT issued by an external certificate authority, add the following in the vars section: 

    ipaserver_dns_over_tls_cert: /etc/pki/tls/certs/certificate.pem
ipaserver_dns_over_tls_key: /etc/pki/tls/certs/privkey.pem
    Copy to Clipboard Toggle word wrap

  3. Run the Ansible playbook with the instructions for the first step of the installation: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-server-external-ca-step1.yml
    Copy to Clipboard Toggle word wrap
  4. Locate the ipa.csr certificate signing request file on the controller and submit it to the external CA.
  5. Place the IdM CA certificate signed by the external CA and the CA certificate chain in the controller file system so that the playbook in the next step can find it.

  6. Create a new Ansible playbook, for example install-server-external-ca-step2.yml, for the second step of IdM server installation with the following content: 

    ---
- name: Playbook to configure IdM server Step 2: import certificates and finalize installation
  hosts: ipaserver
  become: true
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  vars:
    ipaserver_domain: idm.example.com
    ipaserver_realm: IDM.EXAMPLE.COM
    ipaserver_hostname: server.idm.example.com
    ipaadmin_password: "{{ vault_admin_password }}"
    ipadm_password: "{{ vault_dm_password }}"
    ipaserver_setup_dns: true
    ipaserver_dot_forwarders:
    - "<server_ip>#<dns_server_hostname>"
    ipaserver_external_ca: true
    ipaserver_dns_over_tls: true
    ipaserver_no_dnssec_validation: true
    ipaserver_auto_reverse: true
    ipaserver_external_cert_files:
    - servercert20240601.pem
    - cacert.pem

  pre_tasks:
  - name: Copy "{{ groups.ipaserver[0] }}-{{ item }}" to "/root/{{ item }}" on node
    ansible.builtin.copy:
      src: "{{ groups.ipaserver[0] }}-{{ item }}"
      dest: "/root/{{ item }}"
      force: true
    with_items:
    - servercert20240601.pem
    - cacert.pem

  roles:
  - role: ipaserver
    state: present
    Copy to Clipboard Toggle word wrap

  7. Run the Ansible playbook with the instructions for the final step of the installation: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-server-external-ca-step2.yml
    Copy to Clipboard Toggle word wrap

Troubleshooting

  1. SSH to the IdM server: 

    # ssh root@server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Enable detailed logging for the unbound service: 

    # unbound-control verbosity 3
    Copy to Clipboard Toggle word wrap

  3. Restart the unbound service to apply the updated configuration: 

    # systemctl restart unbound
    Copy to Clipboard Toggle word wrap

  4. Monitor real-time logs of the unbound service: 

    $ journalctl -u unbound -f
    Copy to Clipboard Toggle word wrap

29.10. Using Ansible to install an IdM client configured to use eDNS
Copiar enlace

You can use Ansible to install an IdM client with DNS-over-TLS (DoT) enabled. The example below applies the enforced DoT policy and requires the client to use eDNS queries exclusively.

Prerequisites

  • You are using Ansible version 2.14 or later.
  • You have installed the ansible-freeipa package.
  • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • You have configured the resolver for DNS over TLS on the client.

Procedure

  1. On the controller, create a playbook named install-client-edns.yml that includes a task to install an IdM client with eDNS enabled: 

    ---
- name: Playbook to configure an IdM client with eDNS enabled
  hosts: ipaclients
  become: true
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  vars:
    ipaadmin_password: "{{ ipaadmin_password }}"
    ipaclient_domain=idm.example.com
    ipaclient_dns_over_tls=true

  roles:
  - role: ipaclient
    Copy to Clipboard Toggle word wrap

    If DNSSEC validation is turned off on the IdM server that the client is communicating with, you must also disable it on the client by setting ipaclient_no_dnssec_validation = true in the vars section of the playbook. Otherwise, DNS over TLS will not function correctly for the client.

  2. Run the Ansible playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-client-edns.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. On the IdM client, review /etc/unbound/unbound.conf: 

    $ cat /etc/unbound/unbound.conf
    Copy to Clipboard Toggle word wrap
  2. Verify that the configuration contains the IP address and host name of the IdM server.

Troubleshooting

  1. On the IdM client, run a DNS query to trigger traffic: 

    $ dig <domain_name>
    Copy to Clipboard Toggle word wrap
  2. Review the logs on the IdM server to verify that the query was routed through DoT.

29.11. Using Ansible to install an IdM replica configured to use eDNS
Copiar enlace

Learn how to use Ansible to install an IdM replica with eDNS in an environment where the IdM server has DoT enabled.

When you install the replica with the integrated DNS service, the replica uses the same configuration as the IdM server. It runs BIND to handle incoming DNS queries, including encrypted queries, and uses unbound for outgoing encrypted DNS traffic.

When you install the replica without the integrated DNS service, the replica inherits the client-side configuration. It uses unbound with a DoT forwarder to send encrypted DNS queries to the IdM DNS server.

Prerequisites

  • You are using Ansible version 2.14 or later.
  • You have installed the ansible-freeipa package.
  • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.

Procedure

  1. On the controller, create a playbook named install-replica-edns.yml that includes a task to install an IdM replica with eDNS enabled: 

    ---
- name: Playbook to configure an IdM replica with eDNS enabled
  hosts: ipareplicas
  become: true
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  vars:
    ipaadmin_password: "{{ ipaadmin_password }}"
    ipareplica_domain=idm.example.com
    ipareplica_dns_over_tls=true

  roles:
  - role: ipareplica
    Copy to Clipboard Toggle word wrap

    If DNSSEC validation is turned off on the IdM server that the replica is communicating with, you must also disable it on the replica by setting ipaclient_no_dnssec_validation = true in the vars section of the playbook. Otherwise, DNS over TLS will not function correctly for the replica.

    To install integrated IdM DNS on the IdM replica, add ipareplica_setup_dns=true and ipareplica_dot_forwarders="<server_ip>#<dns_server_hostname>" to the list of variables.

  2. Run the Ansible playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-replica-edns.yml
    Copy to Clipboard Toggle word wrap

Verification

  • On the IdM server, list all replicas in the topology: 

    # ipa-replica-manage list-ruv
    Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat