Red Hat Summit4.4.2. Configuring Dynamic DNS Update with TSIG Authentication
You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key key file for authentication. The TSIG protocol is defined in RFC2845.
Prerequisites
- You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
-
You must obtain
rootuser access on the IdM server. - You must confirm whether Satellite Server or Capsule Server is configured to provide DNS service for your deployment.
- You must configure DNS, DHCP and TFTP services on the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment.
- You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Satellite Server.
Procedure
To configure dynamic DNS update with TSIG authentication, complete the following steps:
Enabling External Updates to the DNS Zone in the IdM Server
On the IdM Server, add the following to the top of the
/etc/named.conffile:include "/etc/rndc.key"; controls { inet IdM_Server_IP_Address port 953 allow { Satellite_IP_Address; } keys { "rndc-key"; }; };include "/etc/rndc.key"; controls { inet IdM_Server_IP_Address port 953 allow { Satellite_IP_Address; } keys { "rndc-key"; }; }; include "/etc/rndc.key"; controls { inet IdM_Server_IP_Address port 953 allow { Satellite_IP_Address; } keys { "rndc-key"; }; }; include "/etc/rndc.key"; controls { inet IdM_Server_IP_Address port 953 allow { Satellite_IP_Address; } keys { "rndc-key"; }; }; include "/etc/rndc.key"; controls { inet IdM_Server_IP_Address port 953 allow { Satellite_IP_Address; } keys { "rndc-key"; }; }; include "/etc/rndc.key"; controls { inet IdM_Server_IP_Address port 953 allow { Satellite_IP_Address; } keys { "rndc-key"; }; };Copy to Clipboard Copied! Toggle word wrap Toggle overflow Reload the
namedservice to make the changes take effect:systemctl reload named
# systemctl reload namedCopy to Clipboard Copied! Toggle word wrap Toggle overflow In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
Add the following in the
BIND update policybox:grant "rndc-key" zonesub ANY;
grant "rndc-key" zonesub ANY;Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Set Dynamic update to True.
- Click Update to save the changes.
Copy the
/etc/rndc.keyfile from the IdM server to the base operating system of your Satellite Server. Enter the following command:scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key
# scp /etc/rndc.key root@satellite.example.com:/etc/rndc.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow To set the correct ownership, permissions, and SELinux context for the
rndc.keyfile, enter the following command:restorecon -v /etc/rndc.key chown -v root:named /etc/rndc.key chmod -v 640 /etc/rndc.key
# restorecon -v /etc/rndc.key # chown -v root:named /etc/rndc.key # chmod -v 640 /etc/rndc.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Assign the
foreman-proxyuser to thenamedgroup manually. Normally, satellite-installer ensures that theforeman-proxyuser belongs to thenamedUNIX group, however, in this scenario Satellite does not manage users and groups, therefore you need to assign theforeman-proxyuser to thenamedgroup manually.usermod -a -G named foreman-proxy
# usermod -a -G named foreman-proxyCopy to Clipboard Copied! Toggle word wrap Toggle overflow On Satellite Server, enter the following
satellite-installercommand to configure Satellite to use the external DNS server:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Testing External Updates to the DNS Zone in the IdM Server
Install the
bind-utilsutility:yum install bind-utils
# yum install bind-utilsCopy to Clipboard Copied! Toggle word wrap Toggle overflow Ensure that the key in the
/etc/rndc.keyfile on Satellite Server is the same key file that is used on the IdM server:key "rndc-key" { algorithm hmac-md5; secret "secret-key=="; };key "rndc-key" { algorithm hmac-md5; secret "secret-key=="; };Copy to Clipboard Copied! Toggle word wrap Toggle overflow On Satellite Server, create a test DNS entry for a host. For example, host
test.example.comwith an A record of192.168.25.20on the IdM server at192.168.25.1.echo -e "server 192.168.25.1\n \ update add test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
# echo -e "server 192.168.25.1\n \ update add test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow On Satellite Server, test the DNS entry:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.
If resolved successfully, remove the test DNS entry:
echo -e "server 192.168.25.1\n \ update delete test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key
# echo -e "server 192.168.25.1\n \ update delete test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Confirm that the DNS entry was removed:
nslookup test.example.com 192.168.25.1
# nslookup test.example.com 192.168.25.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow The above
nslookupcommand fails and returns theSERVFAILerror message if the record was successfully deleted.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}