4.4.2. Configuring Dynamic DNS Update with TSIG Authentication

Enabling External Updates to the DNS Zone in the IdM Server

1. On the IdM Server, add the following to the top of the /etc/named.conf file:

   EmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmpty include "/etc/rndc.key"; controls { inet IdM_Server_IP_Address port 953 allow { Satellite_IP_Address; } keys { "rndc-key"; }; }; EmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmptyEmpty

   Copy to Clipboard Toggle word wrap

2. Reload the named service to make the changes take effect:

   # systemctl reload named

   Copy to Clipboard Toggle word wrap

3. In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:

   1. Add the following in the BIND update policy box:

      grant "rndc-key" zonesub ANY;

      Copy to Clipboard Toggle word wrap
   2. Set Dynamic update to True.
   3. Click Update to save the changes.

4. Copy the /etc/rndc.key file from the IdM server to the base operating system of your Satellite Server. Enter the following command:

   # scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key

   Copy to Clipboard Toggle word wrap

5. To set the correct ownership, permissions, and SELinux context for the rndc.key file, enter the following command:

   # restorecon -v /etc/rndc.key
   # chown -v root:named /etc/rndc.key
   # chmod -v 640 /etc/rndc.key

   Copy to Clipboard Toggle word wrap

6. Assign the foreman-proxy user to the named group manually. Normally, satellite-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario Satellite does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.

   # usermod -a -G named foreman-proxy

   Copy to Clipboard Toggle word wrap

7. On Satellite Server, enter the following satellite-installer command to configure Satellite to use the external DNS server:

   # satellite-installer --scenario satellite \
   --foreman-proxy-dns=true \
   --foreman-proxy-dns-managed=false \
   --foreman-proxy-dns-provider=nsupdate \
   --foreman-proxy-dns-server="IdM_Server_IP_Address" \
   --foreman-proxy-keyfile=/etc/rndc.key \
   --foreman-proxy-dns-ttl=86400

   Copy to Clipboard Toggle word wrap

Testing External Updates to the DNS Zone in the IdM Server

1. Install the bind-utils utility:

   # yum install bind-utils

   Copy to Clipboard Toggle word wrap

2. Ensure that the key in the /etc/rndc.key file on Satellite Server is the same key file that is used on the IdM server:

   key "rndc-key" {
           algorithm hmac-md5;
           secret "secret-key==";
   };

   Copy to Clipboard Toggle word wrap

3. On Satellite Server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1.

   # echo -e "server 192.168.25.1\n \
   update add test.example.com 3600 IN A 192.168.25.20\n \
   send\n" | nsupdate -k /etc/rndc.key

   Copy to Clipboard Toggle word wrap

4. On Satellite Server, test the DNS entry:

   # nslookup test.example.com 192.168.25.1
   Server:		192.168.25.1
   Address:	192.168.25.1#53
   
   Name:	test.example.com
   Address: 192.168.25.20

   Copy to Clipboard Toggle word wrap
5. To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.

6. If resolved successfully, remove the test DNS entry:

   # echo -e "server 192.168.25.1\n \
   update delete test.example.com 3600 IN A 192.168.25.20\n \
   send\n" | nsupdate -k /etc/rndc.key

   Copy to Clipboard Toggle word wrap

7. Confirm that the DNS entry was removed:

   # nslookup test.example.com 192.168.25.1

   Copy to Clipboard Toggle word wrap

   The above nslookup command fails and returns the SERVFAIL error message if the record was successfully deleted.