Super helpful, thank you Sam!

On Thu, 11 Jul 2024, 18:01 Sam Morris via FreeIPA-users, <freeipa-users@lists.fedorahosted.org> wrote:
On 11/07/2024 14:36, David Harvey via FreeIPA-users wrote:
> Dear list,
>
> I'm thinking of making our border devices our primary port of call for
> DNS , and setting them to forward to FreeIPA. I found an inconclusive
> thread saying that this might break dyndns for my otherwise happy IPA
> clients.
> Does dyndns working rely upon clients having IPA servers setups as their
> DNS server? I couldn't see an sssd option of "send updates here (only
> use this NIC)".

There are two parts to the DNS update process.

SSSD first needs to decide if a DNS update is necessary. It does this by
querying the system's configured nameservers for the system's hostname,
and checking the A/AAAA RRs in the response. So as long as 'delv -i
$HOSTNAME' keeps working, this should be fine.

If, as a result of that query, SSSD decides an update is necessary, then
it will launch nsupdate(1) to perform the update. nsupdate tries to
determine the DNS zone's primary server by doing the equivalent of 'delv
-i -t SOA ipa.example.com'. It then sends DNS update commands to the
primary server directly.

Therefore, if you block the ability for your IPA clients to connect
directly to your IPA servers on either port 53/tcp or 53/udp then you'll
break dynamic DNS updates. But other than those DNS update commands, I
wouldn't expect to see DNS traffic headed directly to your IPA servers,
because most general purpose DNS lookups on your IPA clients will be
from NSS and/or DNS client libraries talking to the system's configured
resolvers.

--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue