Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 99. Updating DNS records systematically when using external DNS

When using external DNS, Identity Management (IdM) does not update the DNS records automatically after a change in the topology. You can update the DNS records managed by an external DNS service systematically, which reduces the need for manual DNS updates.

Updating DNS records removes old or invalid DNS records and adds new records. You must update DNS records after a change in your topology, for example:

  • After installing or uninstalling a replica
  • After installing a CA, DNS, KRA, or Active Directory trust on an IdM server

99.1. Updating external DNS records with GUI
Copier lien

If you have made any changes to your topology, you must update the external DNS records by using the external DNS GUI.

Procedure

  1. Display the records that you must update: 

    $ ipa dns-update-system-records --dry-run
 IPA DNS records:
   _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
   _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
[... output truncated ...]
    Copy to Clipboard Toggle word wrap
  2. Use the external DNS GUI to update the records.

99.2. Updating external DNS records using nsupdate
Copier lien

You can update external DNS records using the nsupdate utility. You can also add the command to a script to automate the process. To update with the nsupdate utility, you need to generate a file with the DNS records, and then proceed with either sending an nsupdate request secured using TSIG, or sending an nsupdate request secured using the GSS-TSIG.

Procedure

  • To generate a file with the DNS records for nsupdate, use the `ipa dns-update-system-records --dry-run command with the --out option. The --out option specifies the path of the file to generate: 

    $ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
 IPA DNS records:
   _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
   _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
[... output truncated ...]
    Copy to Clipboard Toggle word wrap

    The generated file contains the required DNS records in the format accepted by the nsupdate utility.

  • The generated records rely on:

    • Automatic detection of the zone in which the records are to be updated.

    • Automatic detection of the zone’s authoritative server.

      If you are using an atypical DNS setup or if zone delegations are missing, nsupdate might not be able to find the right zone and server. In this case, add the following options to the beginning of the generated file:

    • server: specify the server name or port of the authoritative DNS server to which nsupdate sends the records.

    • zone: specify the name of the zone where nsupdate places the records.

      Example 99.1. Generated record

      $ cat dns_records_file.nsupdate
zone example.com.
server 192.0.2.1
; IPA DNS records
update delete _kerberos-master._tcp.example.com. SRV
update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
[... output truncated ...]
      Copy to Clipboard Toggle word wrap

99.3. Sending an nsupdate request secured using TSIG
Copier lien

When sending a request using nsupdate, make sure you properly secure it. Transaction signature (TSIG) enables you to use nsupdate with a shared key.

Prerequisites

  • Your DNS server must be configured for TSIG.
  • Both the DNS server and its client must have the shared key.

Procedure

  • Run the nsupdate command and provide the shared secret using one of these options:

    • -k to provide the TSIG authentication key: 

      $ nsupdate -k tsig_key.file dns_records_file.nsupdate
      Copy to Clipboard Toggle word wrap

    • -y to generate a signature from the name of the key and from the Base64-encoded shared secret: 

      $ nsupdate -y algorithm:keyname:secret dns_records_file.nsupdate
      Copy to Clipboard Toggle word wrap

99.4. Sending an nsupdate request secured using GSS-TSIG
Copier lien

When sending a request using nsupdate, make sure you properly secure it. GSS-TSIG uses the GSS-API interface to obtain the secret TSIG key. GSS-TSIG is an extension to the TSIG protocol.

Prerequisites

  • Your DNS server must be configured for GSS-TSIG.
Note

This procedure assumes that Kerberos V5 protocol is used as the technology for GSS-API.

Procedure

  1. Authenticate with a principal allowed to update the records: 

    $ kinit principal_allowed_to_update_records@REALM
    Copy to Clipboard Toggle word wrap

  2. Run nsupdate with the -g option to enable the GSS-TSIG mode: 

    $ nsupdate -g dns_records_file.nsupdate
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat