On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
On Wed, Apr 28, 2021 at 12:59:36PM +0300, Alexander Bokovoy via
FreeIPA-users wrote:
> On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
> > We install a freeipa-server with a constant set of clients that
> > never changes, and install the DNS server with ipa-server-install.
> > Dynamic DNS updates are automatically enabled.
> >
> > I'm not sure what the best way is to get rid of the dynamic update
> > capabilities completely. During installation ipa-dns-install has
> > added a block about dynamic updates at the end of named.conf. Can
> > we just remove this block to disable the feature? Is anything
> > else required?
>
> Dynamic DNS updates are controlled by the properties of a DNS zone, not
> in named.conf.
>
> $ ipa dnszone-mod --help|grep dynamic
> --dynamic-update=BOOL
> Allow dynamic updates.
Okay, understood, but our customer _will_ complain about the
dyndns block in named.conf, the socket it creates and about
authentication with gssapi, so we _have_ to remove that if
possible, or to "defuse" it.
I think you are mixing things up. Are you talking about this fragment:
dyndb "ipa" "$BIND_LDAP_SO" {
uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
base "cn=dns,$SUFFIX";
server_id "$FQDN";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/$FQDN";
};
If so, this is *not* a dynamic DNS updates thing. This is a database
driver that provides access to DNS zones stored in IPA LDAP. If you'd
switch it off, your NAMED instance will have no DNS zones from IPA.
Zones aren't stored in NAMED, they are in IPA LDAP and looked up/updated
from IPA LDAP dynamically.
See
https://bind9.readthedocs.io/en/latest/advanced.html#dynamic-database-dyndb
for more details.
You control behavior of the driver through the DNS zone parameters in
IPA.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland