7.3. Configuring a DNS forward zone in the CLI

Prerequisites

• Access to the CLI with a user account that has administrator rights.
• Correctly configured DNS server.

Procedure

• Create a DNS forward zone for the AD domain, and specify the IP address of the remote DNS server with the --forwarder option:

  # ipa dnsforwardzone-add ad.example.com --forwarder=192.168.122.3 --forward-policy=first

  注記

  You might see a warning about a DNSSEC validation failure in the /var/log/messages system logs after adding a new forward zone to the configuration:

  named[2572]: no valid DS resolving 'host.ad.example.com/A/IN':  192.168.100.25#53

  DNSSEC (Domain Name System Security Extensions) secures DNS data with a digital signature to protect DNS from attacks. This service is enabled by default in the IdM server. The warning appears because the remote DNS server does not use DNSSEC. Enable DNSSEC on the remote DNS server.

  If you cannot enable DNSSEC validation on the remote server, you can disable DNSSEC in the IdM server:

  1. Open the /etc/named/ipa-options-ext.conf file on your IdM server.

  2. Add the following DNSSEC parameters:

     dnssec-validation no;

  3. Save and close the configuration file.

  4. Restart the DNS service:

     # systemctl restart named

  Note that DNSSEC is only available as Technology Preview in IdM.

Verification

• Use the nslookup command with the name of the remote DNS server:

  $ nslookup ad.example.com
  Server:        192.168.122.2
  Address:       192.168.122.2#53
  
  No-authoritative answer:
  Name:          ad.example.com
  Address:       192.168.122.3

  If the domain forwarding is configured correctly, the nslookup request displays an IP address of the remote DNS server.