Hello Angus,

Besides what Peter has written, let's get this warning from FreeIPA site [1]:

> **Avoid name collisions**
> We strongly recommend that you do not use a domain name that is not
> delegated to you, even on a private network. For example, you should
> not use domain name company.int if you don't have valid delegation for
> it in public DNS tree.

As you can see, it is similar to what was on the Red Hat documentation you
mentioned before.

This first part of the warning says that you should not configure your domain
name with some "random" name if you don't own the domain. For example,
you should not use "cisco.com", "google.com" or "redhat.com", even if your
network is a private one. Note that, if it is a private network, you "could" do it,
but you shouldn't do it.

Why? The answer is on the warning itself:

> If this rule is not respected, the domain name will be resolved differently
> depending on the network configuration. As a result, network resources
> will become unavailable.
> Using domain names that are not delegated to
> you also makes DNSSEC more difficult to deploy and maintain. For
> further information about this issue please see the ICANN FAQ on
> domain name collisions.

Imagine you try to access google search and your private network uses
'google.com' as the domain. You would probably be redirected to an internal
server, instead of  Google's search engine. (I'll not even get into DNSSEC
issues.)

So, you find everywhere about "a domain that is delegated to you", well,
that domain is any domain you have registered (e.g.: angusclark.com).

Even as your domain have nameserver which is probably not under your
control (and controlled by whom you registered your domain), you have
control over your domain, and as such, you can create subdomains on
your private network that will not collide with any other domain (say,
ipa.angusclark.com).

If you manage this domain from your internal FreeIPA servers, there
will be no name collision.

I have a (few) registered domain(s), which I use both as a public
facing server (static, github pages), and within my private network,
which no one from outside can see, I have a subdomain (ipa) which
I use for managing my users and hosts.

Regards,

Rafael

[1]: https://www.freeipa.org/page/Deployment_Recommendations


On Mon, Dec 27, 2021 at 6:08 PM Peter Larsen <peter@peterlarsen.org> wrote:
On 12/27/21 15:27, Angus Clarke wrote:

> Ok let's try this:
>
> I've just registered angusclarke.com with a public DNS provider and am
> ready to deploy FreeIPA for my corporate network which uses a private
> IP space. How do I do this?

This is where things get odd for me. Why are you registering a TLD for a
private DNS server?  That makes no sense.  Public domain servers require
public access by definition. Otherwise they don't work.

> According to this
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/ch-configure_host_names#sec-Recommended_Naming_Practices
>
> then I should have a domain delegated to me, but I am not a public DNS
> provider,

Which means you shouldn't register a domain. Just add the domain to
freeIPA and have your clients use your FreeIPA dns server(s). Done. All
free!

> I'm just Angus Clarke ... Nor do I want my private IP space available
> to be looked up in a public DNS record

You don't.  You cannot blow and have flour in your mouth at the same
time.  When you register a domain you MUST provide public NS servers
which are authoritative for that domain which anyone querying your
domain will be forwarded to. By definition they HAVE to be public. You
can absolutely expose your FreeIPA name servers to the public, but it's
a whole other issue if you want to, as the configuration and security
gets a bit convoluted - but it can be done.

> ... And I'd rather have my private IP records handled by my internal
> DNS system - all of this is standard practise for companies and
> individuals however I dont think this topic is suitably addressed in
> the redhat documentation - I see a disconnect in the recommendation
> pasted above vs the installation documentation for FreeIPA.

For internal ONLY domains there is absolutely NO NEED to register a
domain with a public DNS service. You can even pretend to be "cisco.com"
or other addresses and your clients will happily use your DNS server
(well, if DNSSEC is on it may not be that simple) instead of Cisco's. 
Public domains are for public access only. Your own network is your own
domain (sic) and you can do what you want, without having to register
anything.
>
> Maybe I've missed it, maybe I can promote the topic here and it can be
> championed in the right direction, maybe I can even help on the topic
> myself.

You're making it a lot harder. Just install FreeIPA, configure DNS and
add your domain.  Set your DHCP server to use your FreeIPA server's IP
the DNS server address for the clients, renew the DHCP leases and voila,
they're using that domain you just defined, internally only resolving to
internal addresses etc.

--
Regards
   Peter Larsen



--
Rafael Guterres Jeffman
Senior Software Engineer 
FreeIPA - Red Hat