On ke, 25 heinä 2018, Kat via FreeIPA-users wrote:
John
That makes no sense - when I add DNS records, I can check the box for
including PTR record and it updates. What is the point of having PTR
Sync if PTR sync never happens? From reading man page on nsupdate, I
am not even sure how that is going to work with IPA? Does not seem to
make much sense. Why integrate a DNS server in a product if you have
to run outside commands to keep them in sync?
Call me confused
By defining it in web UI or IPA CLI, you are giving a permission
to
synchronize the records to bind-dyndb-ldap. This permission is taken
into account by bind-dyndb-ldap driver which is loaded into a bind which
serves the zones. When a client (nsupdate) comes to update a record,
bind-dyndb-ldap driver will use this permission to automatically update
the PTR record.
See
https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html for
details how this works.
The commands like nsupdate are run by clients when they register
updates. In IPA context this is performed automatically by SSSD which
runs nsupdate using host credentials (host/$client-fqdn Kerberos
principal) when it notices an IP address change.
'dyndns_update' option in sssd.conf (see sssd-ipa manual page) is used
to control whether SSSD performs this operation or not. If you install
IPA client with ipa-client-install, then --enable-dns-updates is the
option that configures SSSD to do it.
Hopefully, this is less confusing.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland