On ti, 12 tammi 2021, Braden McGrath via FreeIPA-users wrote:
Alexander, I appreciate your reply :)
> I run my home's FreeIPA deployment at 'example.net' and rely on
firewalls
> and external DNS server to provide a safer outer view to it. There is
> nothing wrong with this approach -- as well as with 'ipa.example.net'
> approach either.
Let us assume I have no other DNS servers at all for 'example.net'. If
I put the FreeIPA root at 'ipa.example.net', is it possible to add the
"parent" 'example.net' as an authoritative domain in FreeIPA's DNS
server? Or can it only manage and serve DNS for its own subdomain and
others below it? I'm sorry if this is a basic / stupid question, I
haven't had to deal with BIND in over a decade, and I don't know how
much the FreeIPA integration changes what can be done (I'm 99% sure
that BIND on its own can do this).
Any DNS zone for which IPA DNS server could be authoritative can be
handled. It cannot be a slave DNS server or cannot handle DNS views but
other than that there are no limitations on what the zone name could be.
For example,
[root@m1 ~]# ipa dnszone-add my-top-level.
Zone name: my-top-level.
Active zone: TRUE
Authoritative nameserver: m1.ipa1.test.
Administrator e-mail address: hostmaster
SOA serial: 1610480726
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA;
grant IPA1.TEST krb5-self * SSHFP;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@m1 ~]# ipa dnszone-add test.my-top-level.
Zone name: test.my-top-level.
Active zone: TRUE
Authoritative nameserver: m1.ipa1.test.
Administrator e-mail address: hostmaster
SOA serial: 1610480741
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA;
grant IPA1.TEST krb5-self * SSHFP;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
[root@m1 ~]# ipa dnszone-find
Zone name: my-top-level.
Active zone: TRUE
Authoritative nameserver: m1.ipa1.test.
Administrator e-mail address: hostmaster
SOA serial: 1610480727
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA;
grant IPA1.TEST krb5-self * SSHFP;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
Zone name: test.my-top-level.
Active zone: TRUE
Authoritative nameserver: m1.ipa1.test.
Administrator e-mail address: hostmaster
SOA serial: 1610480743
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA;
grant IPA1.TEST krb5-self * SSHFP;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
Zone name: ipa1.test.
Active zone: TRUE
Authoritative nameserver: m1.ipa1.test.
Administrator e-mail address: hostmaster.ipa1.test.
SOA serial: 1610393570
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA;
grant IPA1.TEST krb5-self * SSHFP; grant "rndc-key" zonesub ANY;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
----------------------------
Number of entries returned 3
----------------------------
[root@m1 ~]# dig -t any +nostats +nocomments my-top-level. test.my-top-level.
; <<>> DiG 9.11.25-RedHat-9.11.25-2.fc34 <<>> -t any +nostats
+nocomments my-top-level. test.my-top-level.
;; global options: +cmd
;my-top-level. IN ANY
my-top-level. 86400 IN NS m1.ipa1.test.
my-top-level. 86400 IN SOA m1.ipa1.test. hostmaster.my-top-level. 1610480727 3600 900
1209600 3600
;test.my-top-level. IN ANY
test.my-top-level. 86400 IN NS m1.ipa1.test.
test.my-top-level. 86400 IN SOA m1.ipa1.test. hostmaster.test.my-top-level. 1610480743
3600 900 1209600 3600
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland