Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

33.10. Updating DNS Records Systematically When Using External DNS

When using external DNS, Identity Management does not update the DNS records automatically after a change in the topology. The following procedures explain how you can update the DNS records managed by an external DNS service systematically, which reduces the need for manual DNS updates.
For a basic overview, see Section 33.10.1, “Updating External DNS in Identity Management”.
For procedures and examples, see:

33.10.1. Updating External DNS in Identity Management
Copia collegamento

Updating DNS records removes old or invalid DNS records and adds new records.
You must update DNS records after a change in your topology, for example:
  • After installing or uninstalling a replica
  • After installing a CA, DNS, KRA, or Active Directory trust on an Identity Management server

33.10.2. GUI: Updating External DNS Records
Copia collegamento

  1. Display the records that you must update. Use the ipa dns-update-system-records --dry-run command. 
    $ ipa dns-update-system-records --dry-run
 IPA DNS records:
   _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
   _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
[... output truncated ...]
    Copy to Clipboard Toggle word wrap
  2. Use the external DNS GUI to update the records.

33.10.3. Command Line: Updating External DNS Records Using nsupdate
Copia collegamento

This section describes how to manually update external DNS records using the nsupdate utility. You can also use the commands from this section in a script to automate the process.

Generating a File with the DNS Records for nsupdate

  1. Use the ipa dns-update-system-records --dry-run command with the --out option. The option specifies the path of the file to generate: 
    $ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
 IPA DNS records:
   _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
   _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
[... output truncated ...]
    Copy to Clipboard Toggle word wrap
    The generated file contains the required DNS records in the format accepted by the nsupdate utility.
  2. The generated records rely on:
    • Automatic detection of the zone in which the records are to be updated
    • Automatic detection of the zone's authoritative server
    If you are using an atypical DNS setup or if zone delegations are missing, nsupdate might not be able to find the right zone and server. In this case, add the following options to the beginning of the generated file:
    • server specifies the server name or port of the authoritative DNS server to which nsupdate sends the records
    • zone specifies the zone name of the zone where nsupdate places the records
    Example: 
    $ cat dns_records_file.nsupdate
zone example.com.
server 192.0.2.1
; IPA DNS records
update delete _kerberos-master._tcp.example.com. SRV
update add _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 ipa.example.com.
[... output truncated ...]
    Copy to Clipboard Toggle word wrap

Submitting the Dynamic DNS Update Request to the Name Server

When sending a request using nsupdate, make sure you properly secure it. You can secure the request using these mechanisms:
Transaction Signature (TSIG) protocol
TSIG enables you to use nsupdate with a shared key. See Procedure 33.1, “Sending an nsupdate Request Secured Using TSIG”.
GSS algorithm for TSIG (GSS-TSIG)
GSS-TSIG uses the GSS-API interface to obtain the secret TSIG key. GSS-TSIG is an extension to the TSIG protocol. See Procedure 33.2, “Sending an nsupdate Request Secured Using GSS-TSIG”

Procedure 33.1. Sending an nsupdate Request Secured Using TSIG

  1. Make sure you meet these prerequisites:
    • Your DNS server must be configured for TSIG. See these server configuration examples: BIND, PowerDNS
    • Both the DNS server and its client must have the shared key.
  2. Run nsupdate, and provide the shared secret using one of these options:
    • -k to provide the TSIG authentication key: 
      $ nsupdate -k tsig_key.file dns_records_file.nsupdate
      Copy to Clipboard Toggle word wrap
    • -y to generate a signature from the name of the key and from the Base64-encoded shared secret: 
      $ nsupdate -y algorithm:keyname:secret dns_records_file.nsupdate
      Copy to Clipboard Toggle word wrap

Procedure 33.2. Sending an nsupdate Request Secured Using GSS-TSIG

  1. Make sure you meet these prerequisites:
    • Your DNS server must be configured for GSS-TSIG. See these server configuration examples: BIND, PowerDNS, Windows DNS.
    Note
    This procedure assumes that Kerberos V5 protocol is used as the technology for GSS-API.
  2. To submit the DNS update request, authenticate with a principal allowed to update the records, and run nsupdate with the -g option to enable the GSS-TSIG mode: 
    $ kinit principal_allowed_to_update_records@REALM
$ nsupdate -g dns_records_file.nsupdate
    Copy to Clipboard Toggle word wrap

Additional Resources

  • the nsupdate(8) man page
  • RFC 2845 describes the TSIG protocol
  • RFC 3645 describes the GSS-TSIG algorithm
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat