Thanks for your replies, I think I need to focus on internal resolver configuration and
less on public subdomain delegation.
Cheers
Angus
________________________________
From: Rafael Jeffman <rjeffman(a)redhat.com>
Sent: Monday, 27 December 2021, 11:11 pm
To: Peter Larsen
Cc: Angus Clarke; FreeIPA users list; Dave Mintz
Subject: Re: [Freeipa-users] Re: DNS and FreeIPA
Hello Angus,
Besides what Peter has written, let's get this warning from FreeIPA site [1]:
**Avoid name collisions**
We strongly recommend that you do not use a domain name that is not
delegated to you, even on a private network. For example, you should
not use domain name
company.int<https://emea01.safelinks.protection.outlook.com/?url=http%...
if you don't have valid delegation for
it in public DNS tree.
As you can see, it is similar to what was on the Red Hat documentation you
mentioned before.
This first part of the warning says that you should not configure your domain
name with some "random" name if you don't own the domain. For example,
you should not use
"cisco.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcisco.com%2F&data=04%7C01%7C%7Cf5ad2719740e4431230708d9c985dd58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762399048999826%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cqqRRnrLdXRl1Rm8S9%2FoE3FdYDOhqIArM85lKfgmbu0%3D&reserved=0>",
"google.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=04%7C01%7C%7Cf5ad2719740e4431230708d9c985dd58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762399048999826%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cP8xAi1tdvnq8mWgCajD8aoSgxrJeOIw8dDXdqcdTnY%3D&reserved=0>"
or
"redhat.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fredhat.com%2F&data=04%7C01%7C%7Cf5ad2719740e4431230708d9c985dd58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762399048999826%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=pk5%2BtFeITdFB1shYBk9I1vj%2FUOUSfCen6pYly%2BUIRHo%3D&reserved=0>",
even if your
network is a private one. Note that, if it is a private network, you "could" do
it,
but you shouldn't do it.
Why? The answer is on the warning itself:
If this rule is not respected, the domain name will be resolved
differently
depending on the network configuration. As a result, network resources
will become unavailable.
Using domain names that are not delegated to
you also makes DNSSEC more difficult to deploy and maintain. For
further information about this issue please see the ICANN FAQ on
domain name collisions.
Imagine you try to access google search and your private network uses
'google.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com%2F&data=04%7C01%7C%7Cf5ad2719740e4431230708d9c985dd58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762399048999826%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cP8xAi1tdvnq8mWgCajD8aoSgxrJeOIw8dDXdqcdTnY%3D&reserved=0>'
as the domain. You would probably be redirected to an internal
server, instead of Google's search engine. (I'll not even get into DNSSEC
issues.)
So, you find everywhere about "a domain that is delegated to you", well,
that domain is any domain you have registered (e.g.:
angusclark.com<https://emea01.safelinks.protection.outlook.com/?url=ht...).
Even as your domain have nameserver which is probably not under your
control (and controlled by whom you registered your domain), you have
control over your domain, and as such, you can create subdomains on
your private network that will not collide with any other domain (say,
ipa.angusclark.com<https://emea01.safelinks.protection.outlook.com/?ur...).
If you manage this domain from your internal FreeIPA servers, there
will be no name collision.
I have a (few) registered domain(s), which I use both as a public
facing server (static, github pages), and within my private network,
which no one from outside can see, I have a subdomain (ipa) which
I use for managing my users and hosts.
Regards,
Rafael
[1]:
https://www.freeipa.org/page/Deployment_Recommendations<https://emea01...
On Mon, Dec 27, 2021 at 6:08 PM Peter Larsen
<peter@peterlarsen.org<mailto:peter@peterlarsen.org>> wrote:
On 12/27/21 15:27, Angus Clarke wrote:
Ok let's try this:
I've just registered
angusclarke.com<https://emea01.safelinks.protection.outlook.com/?url=h...
with a public DNS provider and am
ready to deploy FreeIPA for my corporate network which uses a private
IP space. How do I do this?
This is where things get odd for me. Why are you registering a TLD for a
private DNS server? That makes no sense. Public domain servers require
public access by definition. Otherwise they don't work.
According to this
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
then I should have a domain delegated to me, but I am not a public DNS
provider,
Which means you shouldn't register a domain. Just add the domain to
freeIPA and have your clients use your FreeIPA dns server(s). Done. All
free!
I'm just Angus Clarke ... Nor do I want my private IP space
available
to be looked up in a public DNS record
You don't. You cannot blow and have flour in your mouth at the same
time. When you register a domain you MUST provide public NS servers
which are authoritative for that domain which anyone querying your
domain will be forwarded to. By definition they HAVE to be public. You
can absolutely expose your FreeIPA name servers to the public, but it's
a whole other issue if you want to, as the configuration and security
gets a bit convoluted - but it can be done.
... And I'd rather have my private IP records handled by my
internal
DNS system - all of this is standard practise for companies and
individuals however I dont think this topic is suitably addressed in
the redhat documentation - I see a disconnect in the recommendation
pasted above vs the installation documentation for FreeIPA.
For internal ONLY domains there is absolutely NO NEED to register a
domain with a public DNS service. You can even pretend to be
"cisco.com<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcisco.com%2F&data=04%7C01%7C%7Cf5ad2719740e4431230708d9c985dd58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762399048999826%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cqqRRnrLdXRl1Rm8S9%2FoE3FdYDOhqIArM85lKfgmbu0%3D&reserved=0>"
or other addresses and your clients will happily use your DNS server
(well, if DNSSEC is on it may not be that simple) instead of Cisco's.
Public domains are for public access only. Your own network is your own
domain (sic) and you can do what you want, without having to register
anything.
Maybe I've missed it, maybe I can promote the topic here and it can be
championed in the right direction, maybe I can even help on the topic
myself.
You're making it a lot harder. Just install FreeIPA, configure DNS and
add your domain. Set your DHCP server to use your FreeIPA server's IP
the DNS server address for the clients, renew the DHCP leases and voila,
they're using that domain you just defined, internally only resolving to
internal addresses etc.
--
Regards
Peter Larsen
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat