4.4.2. Configuring Dynamic DNS Update with TSIG Authentication
You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key key file for authentication. The TSIG protocol is defined in RFC2845.
Prerequisites
- You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
-
You must obtain
rootuser access on the IdM server. - You must confirm whether Satellite Server or Capsule Server is configured to provide DNS service for your deployment.
- You must configure DNS, DHCP and TFTP services on the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment.
- You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Satellite Server.
Procedure
To configure dynamic DNS update with TSIG authentication, complete the following steps:
Enabling External Updates to the DNS Zone in the IdM Server
On the IdM Server, add the following to the top of the
/etc/named.conffile:include "/etc/rndc.key"; controls { inet IdM_Server_IP_Address port 953 allow { Satellite_IP_Address; } keys { "rndc-key"; }; };
Reload the
namedservice to make the changes take effect:# systemctl reload named
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
Add the following in the
BIND update policybox:grant "rndc-key" zonesub ANY;
- Set Dynamic update to True.
- Click Update to save the changes.
Copy the
/etc/rndc.keyfile from the IdM server to the base operating system of your Satellite Server. Enter the following command:# scp /etc/rndc.key root@satellite.example.com:/etc/rndc.keyTo set the correct ownership, permissions, and SELinux context for the
rndc.keyfile, enter the following command:# restorecon -v /etc/rndc.key # chown -v root:named /etc/rndc.key # chmod -v 640 /etc/rndc.key
Assign the
foreman-proxyuser to thenamedgroup manually. Normally, satellite-installer ensures that theforeman-proxyuser belongs to thenamedUNIX group, however, in this scenario Satellite does not manage users and groups, therefore you need to assign theforeman-proxyuser to thenamedgroup manually.# usermod -a -G named foreman-proxy
On Satellite Server, enter the following
satellite-installercommand to configure Satellite to use the external DNS server:# satellite-installer --scenario satellite \ --foreman-proxy-dns=true \ --foreman-proxy-dns-managed=false \ --foreman-proxy-dns-provider=nsupdate \ --foreman-proxy-dns-server="IdM_Server_IP_Address" \ --foreman-proxy-keyfile=/etc/rndc.key \ --foreman-proxy-dns-ttl=86400
Testing External Updates to the DNS Zone in the IdM Server
Install the
bind-utilsutility:# yum install bind-utils
Ensure that the key in the
/etc/rndc.keyfile on Satellite Server is the same key file that is used on the IdM server:key "rndc-key" { algorithm hmac-md5; secret "secret-key=="; };On Satellite Server, create a test DNS entry for a host. For example, host
test.example.comwith an A record of192.168.25.20on the IdM server at192.168.25.1.# echo -e "server 192.168.25.1\n \ update add test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.keyOn Satellite Server, test the DNS entry:
# nslookup test.example.com 192.168.25.1 Server: 192.168.25.1 Address: 192.168.25.1#53 Name: test.example.com Address: 192.168.25.20- To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.
If resolved successfully, remove the test DNS entry:
# echo -e "server 192.168.25.1\n \ update delete test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.keyConfirm that the DNS entry was removed:
# nslookup test.example.com 192.168.25.1The above
nslookupcommand fails and returns theSERVFAILerror message if the record was successfully deleted.
