Red Hat Summit1.5. Meeting DNS host name and DNS requirements for IdM
The host name and DNS requirements for server and replica systems are outlined below and also how to verify that the systems meet the requirements.
DNS records are vital for nearly all Identity Management (IdM) domain functions, including running LDAP directory services, Kerberos, and Active Directory integration. Be extremely cautious and ensure that:
- You have a tested and functional DNS service available
- The service is properly configured
This requirement applies to all IdM servers, both with and without integrated DNS.
- Verify the server host name
The host name must be a fully qualified domain name, such as
server.idm.example.com.重要Do not use single-label domain names, for example
.company: the IdM domain must be composed of one or more subdomains and a top level domain, for exampleexample.comorcompany.example.com.The fully qualified domain name must meet the following conditions:
- It is a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, such as underscores (_), in the host name cause DNS failures.
- It is all lower-case. No capital letters are allowed.
-
It does not resolve to the loopback address. It must resolve to the system’s public IP address, not to
127.0.0.1.
To verify the host name, use the
hostnameutility on the system where you want to install:# hostname server.idm.example.comThe output of
hostnamemust not belocalhostorlocalhost6.- Verify the forward and reverse DNS configuration
Obtain the IP address of the server.
The
ip addr showcommand displays both the IPv4 and IPv6 addresses. In the following example, the relevant IPv6 address is2001:DB8::1111because its scope is global:[root@server ~]# ip addr show ... 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1a:4a:10:4e:33 brd ff:ff:ff:ff:ff:ff inet 192.0.2.1/24 brd 192.0.2.255 scope global dynamic eth0 valid_lft 106694sec preferred_lft 106694sec inet6 2001:DB8::1111/32 scope global dynamic valid_lft 2591521sec preferred_lft 604321sec inet6 fe80::56ee:75ff:fe2b:def6/64 scope link valid_lft forever preferred_lft forever ...
Verify the forward DNS configuration using the
digutility.Run the command
dig +short server.idm.example.com A. The returned IPv4 address must match the IP address returned byip addr show:[root@server ~]# dig +short server.idm.example.com A 192.0.2.1Run the command
dig +short server.idm.example.com AAAA. If it returns an address, it must match the IPv6 address returned byip addr show:[root@server ~]# dig +short server.idm.example.com AAAA 2001:DB8::1111注記If
digdoes not return any output for the AAAA record, it does not indicate incorrect configuration. No output only means that no IPv6 address is configured in DNS for the system. If you do not intend to use the IPv6 protocol in your network, you can proceed with the installation in this situation.
Verify the reverse DNS configuration (PTR records). Use the
digutility and add the IP address.If the commands below display a different host name or no host name, the reverse DNS configuration is incorrect.
Run the command
dig +short -x IPv4_address. The output must display the server host name. For example:[root@server ~]# dig +short -x 192.0.2.1 server.idm.example.comIf the command
dig +short -x server.idm.example.com AAAAin the previous step returned an IPv6 address, usedigto query the IPv6 address too. The output must display the server host name. For example:[root@server ~]# dig +short -x 2001:DB8::1111 server.idm.example.com注記If
dig +short server.idm.example.com AAAAin the previous step did not display any IPv6 address, querying the AAAA record does not output anything. In this case, this is normal behavior and does not indicate incorrect configuration.警告If a reverse DNS (PTR record) search returns multiple host names,
httpdand other software associated with IdM may show unpredictable behavior. Red Hat strongly recommends configuring only one PTR record per IP.
- Verify the standards-compliance of DNS forwarders (required for integrated DNS only)
Ensure that all DNS forwarders you want to use with the IdM DNS server comply with the Extension Mechanisms for DNS (EDNS0). To do this, inspect the output of the following command for each forwarder separately:
$ dig @IP_address_of_the_DNS_forwarder . SOAThe expected output displayed by the command contains the following information:
-
Status:
NOERROR -
Flags:
ra
If either of these items is missing from the output, inspect the documentation for your DNS forwarder and verify that EDNS0 is supported and enabled.
-
Status:
- Verify the
/etc/hostsfile Verify that the
/etc/hostsfile fulfills one of the following conditions:- The file does not contain an entry for the host. It only lists the IPv4 and IPv6 localhost entries for the host.
The file contains an entry for the host and the file fulfills all the following conditions:
- The first two entries are the IPv4 and IPv6 localhost entries.
- The next entry specifies the IdM server IPv4 address and host name.
-
The
FQDNof the IdM server comes before the short name of the IdM server. - The IdM server host name is not part of the localhost entry.
The following is an example of a correctly configured
/etc/hostsfile:
127.0.0.1 localhost localhost.localdomain \ localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain \ localhost6 localhost6.localdomain6 192.0.2.1 server.idm.example.com server 2001:DB8::1111 server.idm.example.com server
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}