On Wed, Apr 28, 2021 at 01:18:20PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
> On Wed, Apr 28, 2021 at 12:59:36PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> > Dynamic DNS updates are controlled by the properties of a DNS zone, not
> > in named.conf.
> >
> > $ ipa dnszone-mod --help|grep dynamic
> > --dynamic-update=BOOL
> > Allow dynamic updates.
>
> Okay, understood, but our customer _will_ complain about the
> dyndns block in named.conf, the socket it creates and about
> authentication with gssapi, so we _have_ to remove that if
> possible, or to "defuse" it.
I think you are mixing things up. Are you talking about this fragment:
dyndb "ipa" "$BIND_LDAP_SO" {
uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
base "cn=dns,$SUFFIX";
server_id "$FQDN";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/$FQDN";
};
If so, this is *not* a dynamic DNS updates thing. This is a database
driver that provides access to DNS zones stored in IPA LDAP. If you'd
switch it off, your NAMED instance will have no DNS zones from IPA.
Zones aren't stored in NAMED, they are in IPA LDAP and looked up/updated
from IPA LDAP dynamically.
Ah, I see. My knowledge of DNS is really limited, so I understood
that wrong. Thanks!
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt