Thanks for sharing Harry, I really appreciate you and everyone else, taking the time to consider my situation.

Regards

Angus

From: Harry G. Coin via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Sent: Tuesday, December 28, 2021 12:17:16 AM
To: freeipa-users@lists.fedorahosted.org <freeipa-users@lists.fedorahosted.org>
Cc: Harry G. Coin <hgcoin@gmail.com>
Subject: [Freeipa-users] Re: DNS and FreeIPA

Angus,

There are two 'happy medium' approaches you can try with FreeIPA to
resolve the private/public issues you mention.

If you have just one or two addresses you want the public to see, get
one or two 'static ips' from your ISP, set them in your registrar's
setup for your name, do the routing at your isp interface and provide
the public services you prefer.   Then in Freeipa duplicate the domain,
duplicate the one or two ips the public can see, then set your in house
shop to use freeipa for resolution.   It's not 'pretty', but it is
'pretty easy' and for one or two addresses the public can see really not
so bad. And in your use case dnssec for your domain appears to add
little of value.

The other approach for a 'happy medium' that is not the dreaded
split-view DNS is to have the ISP point to your static public IPs and
FreeIPA's dns to resolve, but with none of your private addresses in the
public domain.   Then create in the public domain a subdomain
'private.mydomain.com' or 'p.mydomain.com', but have the A record for
that point to a __ private , non routeable, __ local ipaddress -- one on
which your freeipa also listens.

Set that subdomain up in freeipa to not answer any but local IP queries.

So: One authoritative DNS server, for which dnssec will work (it's
buggy, but for one domain you probably won't hit it), no split view DNS,
boxes checked. Harder, and you have to deal with the
'myhost.p.mydomain' instead of 'myhost.mydomain' but checks the boxes.

HTH

Harry Coin

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%7C01%7C%7C4457ec6f475142f275f908d9c98f10ce%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762438565036709%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qCnC4UBL6X9yoJbIRx4xPHkgqa7h7%2BiOBcawEKXsvco%3D&reserved=0
List Guidelines: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7C%7C4457ec6f475142f275f908d9c98f10ce%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762438565036709%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=KCYeB4cjPiDY1hBXBI2n8xinR1pjTA9noXKz2de3OXw%3D&reserved=0
List Archives: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=04%7C01%7C%7C4457ec6f475142f275f908d9c98f10ce%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762438565036709%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6Jh57yHm4UOwCPitgwsJtX3fCSQGtqjbN%2BCnYP5l0oo%3D&reserved=0
Do not reply to spam on the list, report it: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=04%7C01%7C%7C4457ec6f475142f275f908d9c98f10ce%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637762438565036709%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hMT4NRLaHNC5RkP3iucigMuSr9mH0p2WtZBigvCfNGE%3D&reserved=0